| 1 |
On Mon, 8 Sep 2003 02:08:51 +0000 |
| 2 |
Jan Krueger <jk@×××××××××××.net> wrote: |
| 3 |
|
| 4 |
> On Sunday 07 September 2003 23:41, Jon Portnoy wrote: |
| 5 |
> > You haven't explained why it's not sufficient. |
| 6 |
> Read again. |
| 7 |
> |
| 8 |
> > > Again examples from the actual tree, so you can try yourself: |
| 9 |
> > > 1. emerge ezmlm and emerge ezmlm-idx |
| 10 |
> > > providing slightly different funtionality they will overwrite each |
| 11 |
> > > other(instead of blocking each other) |
| 12 |
> > |
| 13 |
> > Bug. Is it filed? |
| 14 |
> Bug in portage! portage is the one that allows such integrity mess. |
| 15 |
|
| 16 |
I vote for the "bug in ebuild". In a recent thread [1] I've posted the |
| 17 |
results of a "search for files that belongs to several packages" on my |
| 18 |
system, and it's true that there are many such packages (nothing to |
| 19 |
worry about in general though). I think what lacks to gentoo developers |
| 20 |
(please devs, correct me if I'm wrong) is control mechanism do detect |
| 21 |
this kind of overwrites: they don't have all portage packages installed |
| 22 |
on their computer, and even if it was the case, portage does makes much |
| 23 |
noise about overwritings. Hence they don't detect this kind of bugs, but |
| 24 |
they are still package specific. |
| 25 |
|
| 26 |
Now, to improve this situation I imagine a kind of database of the |
| 27 |
different pkg-ver contents. When a dev tests a new ebuild for foo/bar, |
| 28 |
he could check against this base that the content of his package won't |
| 29 |
conflict with any other already existing package but other versions of |
| 30 |
foo/bar (idealy in the same slot). If there are conflicts, then he could |
| 31 |
add some blocking dependencies, or rename the files, or decide to accept |
| 32 |
the overwrite, and then submit the definitive content of his package |
| 33 |
to the database. |
| 34 |
|
| 35 |
I think in the above mentioned thread, somebody also suggested that |
| 36 |
overwritten files (excluding updates) should be archived by portage |
| 37 |
for safety (or at the contrary that they should not be merged and would |
| 38 |
require the user to explicitly make the overwriting). The idea sounds |
| 39 |
good, but his redundant with the above mentioned package content |
| 40 |
checking. I don't know what would be the best. I think this second one |
| 41 |
is closer to the behavior you expect, but I fear the "yet another task |
| 42 |
for emerge" effect which may compromise its speed. And I fear "user |
| 43 |
bugs": so many people forget to etc-update after a baselayout upgrade |
| 44 |
and then complain, so please, don't give them a "bin-update". |
| 45 |
|
| 46 |
And all this things may be useful from a quality point of view, but |
| 47 |
should not be consider as some "security" measures. Overwriting are |
| 48 |
often not needed for malicious code be executed by root: puting a file |
| 49 |
with the right name in another place of the path (or a library |
| 50 |
in /usr/local/lib for instance) will often be enough. We are back to the |
| 51 |
'trust ebuilds and devs' situation. |
| 52 |
|
| 53 |
Now about config files: sure things may be done differently, with maybe |
| 54 |
a little more control for the user. But in ebuilds I've read so far, |
| 55 |
postint commands that modify config files are really not harmful. Who |
| 56 |
want to manage by hand scrollkeeper entries or this kind of things? If |
| 57 |
you have examples of existing ebuilds with post_install commands that |
| 58 |
doesn't feet your needs, I'm sure bug reports will be welcome. |
| 59 |
|
| 60 |
> changeconf phph.ini "line to add to phpini" |
| 61 |
|
| 62 |
Can be done in src_install: read it, modify it, write it. You will |
| 63 |
have access to anything you really need (grep, sed, etc.), and user will |
| 64 |
have to accept the file with etc-update/dispatch-conf. But again, if it |
| 65 |
may be justified for php.ini, it is not for an xml catalog or other |
| 66 |
ugly things like this, and there the postinst commands are really |
| 67 |
handier. |
| 68 |
|
| 69 |
|
| 70 |
[1] http://article.gmane.org/gmane.linux.gentoo.devel/11630 |
| 71 |
|
| 72 |
-- |
| 73 |
TGL. |
| 74 |
|
| 75 |
-- |
| 76 |
gentoo-dev@g.o mailing list |
Archives