The hardened profiles incorrectly enable the unicode USE flag although they should disable this. This was discovered after some recent changes. The solution applied was reordering the parents of the profiles so the hardened profile had the last saying on which USE flags are enabled or disabled. Reproducible: Always (As of this writting this bug is resolved, but it is left just as an annotation on what was done and why).
This was resolved by moving the inheritance from hardened/linux to the bottom of the stack in the following files: hardened/linux/amd64/parent hardened/linux/ia64/parent hardened/linux/powerpc/parent hardened/linux/powerpc/ppc32/parent hardened/linux/powerpc/ppc64/parent hardened/linux/x86/parent
We discussed this is a bit in IRC, but I will recap here. Revision history of one of the parent files: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/profiles/hardened/linux/amd64/parent?view=log As one can see, this is the same change that was made in bug #282800 that needed to be reverted. In those days, this broke things (beyond just what was in that bug). These days it appears the change is "ok", though I am still getting comfortable with the change. I've pointed out before that inherit order is extremely important. Robbat2 has done some interesting profile graphing in the past: http://dev.gentoo.org/~robbat2/profile-graph/. Let's look at the previous inherit order briefly. In profiles/harened/linux/amd64/parent we had: ../../../base .. ../../../arch/amd64 ../../../releases/10.0 base system -> apply base hardening on top -> arch bits/maskings, unmaskings -(temp & perm)/etc. -> release-specific bits -> hardened-specific amd64 dir (so place to unmask/remask amd64 bits that may not be hardened-compat). Now we have: ../../../base ../../../arch/amd64 ../../../releases/10.0 .. base system -> arch bits/maskings, unmaskings -(temp & perm)/etc. -> release-specific bits -> apply base hardening on top -> hardened-specific amd64 dir. Now there is a lot to discuss about how this can/does work in practice. When you start poking around at the contents of .. vs. the two profiles its being re-ordered against and imagine developers adding temporary maskings/unmaskings, etc. you can get a good idea how it will interact. One thing to keep in mind is that you have two very distinct "insertion points" in the previous model, where as now the two areas "under control of hardened" (.. and .) are serial. After looking through it a bit, it does appear that at this time we could do/go either way. A few things have been re-ordered/changed "upstream" (mainline gentoo profiles) and our own profile-house is in much better order than in the past. Mull it over a bit. If you do decide to stick with the "new" way, we should take the next steps and actually make good use of the new order by merging common/duplicated items in the hardened-arch subprofiles into the common hardened base profile (the nvidia maskings/USE masks for instance). Also, there are some old bits in hardened/linux/use.mask that need to be removed: emul-linux-x86 # tcc is x86-only tcc emul-linux-x86 is masked in based, unmasked in amd64 arch dir. this is a stragler from the really old single-inheritance hardened/ profiles that was being negated in the previous inherit order, but now rears its head and is masking even on amd64 (upstream is handling the flag properly, so we should just remove/untouch it). tcc should be a similar story. Thank you for your time, consideration and hard work.
*** Bug 356149 has been marked as a duplicate of this bug. ***
hardened/linux/amd64/package.use.mask:>=dev-util/kdevelop-3.9.98 cxx hardened/linux/x86/package.use.mask:>=dev-util/kdevelop-3.9.98 cxx <Zorry> we can remove the kdevelop cxx use mask we have newer gdb that works <Zorry> gengor: we can remove all the kdevelop cxx use mask on the profile Just noting it here with the others from the previous comment, we'll be doing a cleanup after the overall structure problem is resolved.
<Zorry> sci-libs/acml-3.6 in package.mask can be removed to i think <Zorry> dep was newer gcc-4.2
package.use.mask app-emulation/wine win64 dep gcc 4.4 some more cleaning
Sorry for opening I just migrate to Hardened profile on amd64 and don't understand why Unicode flag is (-) by default, can someone explain this to me? I can safely change it to (+)? And what about ipv6 and fortran? Why they are (-)? I can't find answers for those questions in documentation. Best Regards ps. Sorry for my English I'm from Poland.
(In reply to comment #7) > Sorry for opening I just migrate to Hardened profile on amd64 and don't > understand why Unicode flag is (-) by default, can someone explain this to me? > > I can safely change it to (+)? > > > And what about ipv6 and fortran? Why they are (-)? I can't find answers for > those questions in documentation. > > Best Regards > > ps. Sorry for my English I'm from Poland. It is safe to change +unicode, +ivp6 and +fortran. There is no strong reason for the decisions.
(In reply to comment #8) > It is safe to change +unicode, +ivp6 and +fortran. There is no strong reason > for the decisions. Thank You for answer, I've got one more question. The use flags: -3dnow -3dnowext -mmx -mmxext -sse -sse2 -sse3 -ssse3 are masked in /usr/portage/profiles/hardened/amd64/use.mask But when I run emerge mplayer -pv i can see that none of this flags are currently masked, they are only "un-active" and some of them are even active at this moment, please look: [ebuild R ] media-video/mplayer-1.0_rc4_p20110322 USE="X a52 alsa ass cdio dirac dts dv dvd dvdnav enca encode faac faad fbcon gif iconv jpeg live lzo mmx mp3 network opengl osdmenu png quicktime rar real rtc schroedinger shm speex sse sse2 theora toolame tremor truetype twolame vorbis x264 xscreensaver xv xvid -3dnow -3dnowext -aalib (-altivec) -amr (-aqua) -bidi -bindist -bl -bluray -bs2b -cddb -cdparanoia -cpudetection -custom-cpuopts -debug -dga -directfb -doc -dvb -dxr3 -esd -ftp -ggi -gsm -ipv6* -jack -joystick -jpeg2k -ladspa -libcaca -libmpeg2 -lirc -mad -md5sum -mmxext* -mng -mpg123 -nas -nut -openal -oss -pnm -pulseaudio -pvr -radio -rtmp -samba -sdl -ssse3* -tga -unicode* -v4l -v4l2 (-vdpau) (-vidix) -vpx (-win32codecs) -xanim -xinerama -xvmc -zoran" VIDEO_CARDS="-mga -s3virge -tdfx -vesa" The only masked one are (-altivec), (-aqua), (-vdpau), (-vidix) and (-win32codecs) Maybe I just don't understand the structure of /etc/portage/profiles but I've looked in every use.mask in /etc/portage/profiles/hardened and I can't see correlation between those files and what I actually see in emerge pretend use flags.
(In reply to comment #9) > (In reply to comment #8) > > It is safe to change +unicode, +ivp6 and +fortran. There is no strong reason > > for the decisions. > > Thank You for answer, I've got one more question. > > The use flags: > -3dnow > -3dnowext > -mmx > -mmxext > -sse > -sse2 > -sse3 > -ssse3 > > are masked in /usr/portage/profiles/hardened/amd64/use.mask > > But when I run emerge mplayer -pv i can see that none of this flags are > currently masked, they are only "un-active" and some of them are even active at > this moment, please look: > > [ebuild R ] media-video/mplayer-1.0_rc4_p20110322 USE="X a52 alsa ass > cdio dirac dts dv dvd dvdnav enca encode faac faad fbcon gif iconv jpeg live > lzo mmx mp3 network opengl osdmenu png quicktime rar real rtc schroedinger shm > speex sse sse2 theora toolame tremor truetype twolame vorbis x264 xscreensaver > xv xvid -3dnow -3dnowext -aalib (-altivec) -amr (-aqua) -bidi -bindist -bl > -bluray -bs2b -cddb -cdparanoia -cpudetection -custom-cpuopts -debug -dga > -directfb -doc -dvb -dxr3 -esd -ftp -ggi -gsm -ipv6* -jack -joystick -jpeg2k > -ladspa -libcaca -libmpeg2 -lirc -mad -md5sum -mmxext* -mng -mpg123 -nas -nut > -openal -oss -pnm -pulseaudio -pvr -radio -rtmp -samba -sdl -ssse3* -tga > -unicode* -v4l -v4l2 (-vdpau) (-vidix) -vpx (-win32codecs) -xanim -xinerama > -xvmc -zoran" VIDEO_CARDS="-mga -s3virge -tdfx -vesa" > > The only masked one are (-altivec), (-aqua), (-vdpau), (-vidix) and > (-win32codecs) > > Maybe I just don't understand the structure of /etc/portage/profiles but I've > looked in every use.mask in /etc/portage/profiles/hardened and I can't see > correlation between those files and what I actually see in emerge pretend use > flags. We should not use bugzilla for support. Use the forums for that. This bug is about the unicode USE flag. We use the forums for support.
