| 1 |
On 02/03/2017 01:12 AM, Walter Dnes wrote: |
| 2 |
> On Thu, Feb 02, 2017 at 01:01:52PM -0500, Rich Freeman wrote |
| 3 |
> |
| 4 |
>> Is there a better way we can have our cake and eat it too? I'll admit |
| 5 |
>> that a huge package.use on the minimal profile isn't a whole lot |
| 6 |
>> better than a huge package.use on all the other profiles. |
| 7 |
>> |
| 8 |
>> Do we need another form of syntax in individual ebuilds to try to |
| 9 |
>> separate out the various cases you cite? Does anybody care to |
| 10 |
>> actually suggest one? |
| 11 |
>> |
| 12 |
>> I still think that we shouldn't encourage users to lightly deviate |
| 13 |
>> from all the upstream defaults. There are of course legitimate |
| 14 |
>> reasons for doing so, and you and I can probably appreciate when we |
| 15 |
>> should do this, but for somebody starting out we're giving them a lot |
| 16 |
>> of rope to hang themselves with. |
| 17 |
> |
| 18 |
> The "case" for IUSE often depends on a fallacious strawman argument |
| 19 |
> about USE="-*". The strawman argument is that people run with the USE |
| 20 |
> variable in make.conf consisting of "USE=-*" and that every package |
| 21 |
> requires an entry in package.use WRONG! WRONG! WRONG! That is a braindead |
| 22 |
> approach. The way I recommend doing it is... |
| 23 |
> |
| 24 |
> USE="-* fu bar blah blah blah" |
| 25 |
> |
| 26 |
> ...where commonly-used flags are included in USE. My rule-of-thumb is |
| 27 |
> |
| 28 |
> Given that |
| 29 |
> * not including a flag in USE requires X entries adding it in package.use |
| 30 |
> * including a flag in USE requires Y entries negating it in package.use |
| 31 |
> |
| 32 |
> If ( X > Y ) then |
| 33 |
> include the the flag in USE |
| 34 |
> else |
| 35 |
> do not include the the flag in USE |
| 36 |
> end if |
| 37 |
> |
| 38 |
> I effectively "build my own profile" rather than depend on multiple |
| 39 |
> levels of inheritance. My current desktop runs with the following USE |
| 40 |
> flags... |
| 41 |
> |
| 42 |
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev -unicode -xinerama" |
| 43 |
> |
| 44 |
> Note all the negative flags. I'll try installing uclibc to a laptop |
| 45 |
> one of these days. I figure that it'll probably have a shorter USE line |
| 46 |
> if I start USE with "-*", and I will not have a larger package.use file. |
| 47 |
|
| 48 |
+1 |
| 49 |
|
| 50 |
I've used Gentoo since 2004. I started down the minimal flag path, first |
| 51 |
building iptables-based firewalls on gentoo. So that would be a |
| 52 |
(minimal)base+iptables profile. My historical experience is that flag |
| 53 |
negation has been a "dirty function" over the years; i.e. not consistent |
| 54 |
sometimes, across time. That has resulted in a variety of flag negation |
| 55 |
strategies to "tweek" the final results, seemingly more of an art form |
| 56 |
with hidden tricks, and a robust (documented) semantic. Most hard to |
| 57 |
track down problems were in the actual packages (ebuild) as we have |
| 58 |
danced across EAPI standards all the way back to no EAPI standards and a |
| 59 |
weak complement of documentation. |
| 60 |
|
| 61 |
This happened because of 'package creep' or just needing/wanting to add |
| 62 |
more and more codes to the firewalls. So now, my firewalls range from |
| 63 |
truly minimal, all the way to enhancements that supercede suricata. So |
| 64 |
imagine flags are a giant 'sparse matrix' that I need to 'mollify' |
| 65 |
individually periodically, then run CI on that complete-set of packages, |
| 66 |
and then test against automated attack vectors. |
| 67 |
|
| 68 |
|
| 69 |
With CI, in a stage-4 install, we minimalist could test the our |
| 70 |
collective of (minimized flag) packages and do our own CI. Even perhaps |
| 71 |
sharing the result of our CI testing of such minimized systems when a |
| 72 |
gentoo mechanism is available that can handle such massive amounts of |
| 73 |
data. I proposed this (CI-stage-4) a while back in a gentoo-dev thread |
| 74 |
and so here we are, again. Granted, this in-house gentoo-CI work was not |
| 75 |
ready for such wider usage, when I last looked, but it will go a long |
| 76 |
way in providing a robust tool for minimalist. Many are getting into the |
| 77 |
minimalist systems, for security reasons too. |
| 78 |
|
| 79 |
My needs, on the surface, may(maynot) appear to diverge from Walts, but |
| 80 |
I surely hope that whatever the consensus solution is, at least for now, |
| 81 |
it is flexible enough to coalesce all of the various minimalist into the |
| 82 |
same area of the profile tree. We can then share ideas and results of |
| 83 |
testing. |
| 84 |
|
| 85 |
I really need to apologize to many devs. But, I'm getting very close to |
| 86 |
having something absolutely wonderful, about 90% thanks to the gentoo |
| 87 |
devs. I do not want to appear to be childish throwing a tantrum about |
| 88 |
this, but, well, I just really cannot help it; as y'all can imagine? |
| 89 |
|
| 90 |
|
| 91 |
hth, |
| 92 |
James |
Archives