1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • Re: [gentoo-dev] [RFC] Reinstatement of zstd and lzma as Global USE fla

    From Eli Schwartz@21:1/5 to All on Tue Nov 12 15:10:01 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------jq5N5UxJEX0lxg02FGBJQXx5
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    On 11/12/24 8:56 AM, Peter Böhm wrote:
    Hello everyone,

    as far as I remember correctly, both were activated globally and were only removed as global settings due to the security vulnerability of zstd. This is now history and I would like to ask if we should re-enable both globally?


    It actually happened in https://bugs.gentoo.org/928932

    The rationale for dropping it from global USE was:

    This default doesn't actually solve the stated problem, and setting
    it in a high-level profile causes new ones for users who want it
    disabled. The obvious solution to revert to the status quo is to set USE="-lzma", but that has the dangerous side-effect of overriding
    IUSE defaults in packages where they are important. For example, sys- apps/kmod uses +lzma to ensure that your kernel will boot if you
    choose lzma compression for modules; helpful, because there's no
    other way for the package manager to track that dependency.


    And the mailing list discussion involved was: https://public-inbox.gentoo.org/gentoo-dev/98d180b6db191830e9700d0f5b874274a3fd4755.camel@gentoo.org/

    Admittedly, some comments were made at the time that it was "interesting
    timing because of the xz backdoor" but the core point made by Michael is
    useful to note here:


    What I am saying is that I want the freedom to not have things
    pointlessly enabled on my systems, because similar problems (and worse) happen all day every day. The less exposure I have, the better. The
    liblzma backdoor was timely because it will prevent most people from
    telling me I'm being paranoid, but it could have been USE=anything on
    any other day. Moving the defaults out of the high-level profiles will
    give control back to the user, hence my complaint about it.




    --
    Eli Schwartz

    --------------jq5N5UxJEX0lxg02FGBJQXx5--

    -----BEGIN PGP SIGNATURE-----

    wnsEABYIACMWIQTnFNnmK0TPZHnXm3qEp9ErcA0vVwUCZzNhZwUDAAAAAAAKCRCEp9ErcA0vVzqf AQCpANeAA/YeJevBq15RgRe0pmCphDIDsquKdUKRU0wRQgD8CDgYLU8Zjbn+KxAsC5E43MOIAttT P/gHUMayTar6CgA=
    =1RAk
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)