1 |
W dniu wto, 16.01.2018 o godzinie 23∶32 -0500, użytkownik Mike Gilbert |
2 |
napisał: |
3 |
> On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger <vapier@g.o> wrote: |
4 |
> > From: Mike Frysinger <vapier@××××××××.org> |
5 |
> > |
6 |
> > Some ebuilds are a bit hard to fix their use of the network in src |
7 |
> > phases, so allow them to disable things. This allows us to turn off |
8 |
> > access by default and for the vast majority while we work out how to |
9 |
> > fix the few broken packages. |
10 |
> |
11 |
> If we are going to allow network sandboxing to be disabled in |
12 |
> individual ebuilds, we should also allow the other sandboxes to be |
13 |
> disabled for the same reasons. sys-apps/sandbox has been notoriously |
14 |
> buggy, for example. |
15 |
> |
16 |
> Also, valid RESTRICT values are specified in PMS, so this really |
17 |
> belongs in an a new EAPI. |
18 |
|
19 |
As long as this isn't used in ::gentoo, I don't mind. However, for |
20 |
completeness I should point out that: |
21 |
|
22 |
a. you should be addressing the root issue and not bashing with big |
23 |
'sandbox' hammer whenever something fails -- i.e. if the problem is due |
24 |
to LD_PRELOAD being used (which is frequently the case), then |
25 |
the solution is to wipe LD_PRELOAD, |
26 |
|
27 |
b. you should be addressing it in as narrow scope as possible -- i.e. it |
28 |
is usually enough to disable sandbox for the execution of a single |
29 |
command rather than the whole ebuild. |
30 |
|
31 |
That said, app-portage/unsandbox is much cleaner solution here. |
32 |
|
33 |
-- |
34 |
Best regards, |
35 |
Michał Górny |