| 1 |
On 10/19/2013 08:29 PM, Anthony G. Basile wrote: |
| 2 |
> |
| 3 |
> Can you check to see if the || die is required only on packages before |
| 4 |
> EAPI = 5? Or is it on all EAPI versions? |
| 5 |
|
| 6 |
It's required anywhere you want the ebuild to die when pax-mark fails. |
| 7 |
AFAIK, the EAPI >= 4 auto-die behavior only applies to the commands |
| 8 |
listed in the PMS under "Ebuild-specific Commands". |
| 9 |
|
| 10 |
|
| 11 |
> Having said that, I'm not sure we want the ebuild to fail just because |
| 12 |
> pax-mark fails. People on vanilla profiles without xattr support will |
| 13 |
> be annoyed. |
| 14 |
|
| 15 |
Can this be done in the profiles instead of the eclass? |
| 16 |
|
| 17 |
Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the |
| 18 |
variable is unset. On hardened, we probably want PAX_MARKINGS="PT" for |
| 19 |
now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" eventually. |
| 20 |
|
| 21 |
Non-hardened users don't care about the markings[1], so it doesn't |
| 22 |
matter to them whether or not pax-mark fails. But for hardened users, |
| 23 |
the package will be broken, so the ebuild should die. |
| 24 |
|
| 25 |
What would happen it we changed the line, |
| 26 |
|
| 27 |
PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
| 28 |
|
| 29 |
in the eclass, to, |
| 30 |
|
| 31 |
PAX_MARKINGS=${PAX_MARKINGS:="none"} |
| 32 |
|
| 33 |
and added, |
| 34 |
|
| 35 |
PAX_MARKINGS="PT" |
| 36 |
|
| 37 |
to the hardened make.defaults? |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
[1] There may be exceptions to this rule, but if we remove the PT |
| 42 |
default for non-hardened users, they can still set PAX_MARKINGS in |
| 43 |
make.conf if they want the markings. |
Archives