1 |
On 02/03/2017 01:12 AM, Walter Dnes wrote: |
2 |
> On Thu, Feb 02, 2017 at 01:01:52PM -0500, Rich Freeman wrote |
3 |
> |
4 |
>> Is there a better way we can have our cake and eat it too? I'll admit |
5 |
>> that a huge package.use on the minimal profile isn't a whole lot |
6 |
>> better than a huge package.use on all the other profiles. |
7 |
>> |
8 |
>> Do we need another form of syntax in individual ebuilds to try to |
9 |
>> separate out the various cases you cite? Does anybody care to |
10 |
>> actually suggest one? |
11 |
>> |
12 |
>> I still think that we shouldn't encourage users to lightly deviate |
13 |
>> from all the upstream defaults. There are of course legitimate |
14 |
>> reasons for doing so, and you and I can probably appreciate when we |
15 |
>> should do this, but for somebody starting out we're giving them a lot |
16 |
>> of rope to hang themselves with. |
17 |
> |
18 |
> The "case" for IUSE often depends on a fallacious strawman argument |
19 |
> about USE="-*". The strawman argument is that people run with the USE |
20 |
> variable in make.conf consisting of "USE=-*" and that every package |
21 |
> requires an entry in package.use WRONG! WRONG! WRONG! That is a braindead |
22 |
> approach. The way I recommend doing it is... |
23 |
> |
24 |
> USE="-* fu bar blah blah blah" |
25 |
> |
26 |
> ...where commonly-used flags are included in USE. My rule-of-thumb is |
27 |
> |
28 |
> Given that |
29 |
> * not including a flag in USE requires X entries adding it in package.use |
30 |
> * including a flag in USE requires Y entries negating it in package.use |
31 |
> |
32 |
> If ( X > Y ) then |
33 |
> include the the flag in USE |
34 |
> else |
35 |
> do not include the the flag in USE |
36 |
> end if |
37 |
> |
38 |
> I effectively "build my own profile" rather than depend on multiple |
39 |
> levels of inheritance. My current desktop runs with the following USE |
40 |
> flags... |
41 |
> |
42 |
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev -unicode -xinerama" |
43 |
> |
44 |
> Note all the negative flags. I'll try installing uclibc to a laptop |
45 |
> one of these days. I figure that it'll probably have a shorter USE line |
46 |
> if I start USE with "-*", and I will not have a larger package.use file. |
47 |
|
48 |
+1 |
49 |
|
50 |
I've used Gentoo since 2004. I started down the minimal flag path, first |
51 |
building iptables-based firewalls on gentoo. So that would be a |
52 |
(minimal)base+iptables profile. My historical experience is that flag |
53 |
negation has been a "dirty function" over the years; i.e. not consistent |
54 |
sometimes, across time. That has resulted in a variety of flag negation |
55 |
strategies to "tweek" the final results, seemingly more of an art form |
56 |
with hidden tricks, and a robust (documented) semantic. Most hard to |
57 |
track down problems were in the actual packages (ebuild) as we have |
58 |
danced across EAPI standards all the way back to no EAPI standards and a |
59 |
weak complement of documentation. |
60 |
|
61 |
This happened because of 'package creep' or just needing/wanting to add |
62 |
more and more codes to the firewalls. So now, my firewalls range from |
63 |
truly minimal, all the way to enhancements that supercede suricata. So |
64 |
imagine flags are a giant 'sparse matrix' that I need to 'mollify' |
65 |
individually periodically, then run CI on that complete-set of packages, |
66 |
and then test against automated attack vectors. |
67 |
|
68 |
|
69 |
With CI, in a stage-4 install, we minimalist could test the our |
70 |
collective of (minimized flag) packages and do our own CI. Even perhaps |
71 |
sharing the result of our CI testing of such minimized systems when a |
72 |
gentoo mechanism is available that can handle such massive amounts of |
73 |
data. I proposed this (CI-stage-4) a while back in a gentoo-dev thread |
74 |
and so here we are, again. Granted, this in-house gentoo-CI work was not |
75 |
ready for such wider usage, when I last looked, but it will go a long |
76 |
way in providing a robust tool for minimalist. Many are getting into the |
77 |
minimalist systems, for security reasons too. |
78 |
|
79 |
My needs, on the surface, may(maynot) appear to diverge from Walts, but |
80 |
I surely hope that whatever the consensus solution is, at least for now, |
81 |
it is flexible enough to coalesce all of the various minimalist into the |
82 |
same area of the profile tree. We can then share ideas and results of |
83 |
testing. |
84 |
|
85 |
I really need to apologize to many devs. But, I'm getting very close to |
86 |
having something absolutely wonderful, about 90% thanks to the gentoo |
87 |
devs. I do not want to appear to be childish throwing a tantrum about |
88 |
this, but, well, I just really cannot help it; as y'all can imagine? |
89 |
|
90 |
|
91 |
hth, |
92 |
James |