The following REQUIRED_USE flag constraints are unsatisfied: ssl? ( exactly-one-of ( mbedtls openssl ) ) You should really default to OpenSSL w/ USE=-mbedtls, and stop requiring all Gentoo users to hit REQUIRED_USE conflicts.
No: 1) Upstream prefers mdebtls. 2) USE="ssl" is very different for this package from usual expectations from SSL: it allows MITM for SSL traffic using intermediate certificate. I want users to enable this stuff **only** if they read the docs and understand what they are doing and why.
Topic was not resolved.
(In reply to Andrew Savchenko from comment #1) > 2) USE="ssl" is very different for this package from usual expectations from > SSL: it allows MITM for SSL traffic using intermediate certificate. I want > users to enable this stuff **only** if they read the docs and understand > what they are doing and why. Then it shouldn't be USE=ssl.
If upstream prefer mbedtls, please just enable that. This sort of thing makes automated testing (and life for users) unnecessarily frustrating. But I also don’t love using USE=ssl, a USE flag with a well-defined meaning, for something totally out there and rather niche. Would you mind changing it?
Actually, upstream preference matters little if it's about TLS provider used by hundreds of packages vs a package almost nobody on Gentoo uses.
(In reply to Sam James from comment #4) > If upstream prefer mbedtls, please just enable that. This sort of thing > makes automated testing (and life for users) unnecessarily frustrating. Automated testing can be fixed. Users need to be careful with this flag, so it works as expected. > But I also don’t love using USE=ssl, a USE flag with a well-defined meaning, > for something totally out there and rather niche. Would you mind changing it? I understand and partially agree. However for a filtering proxy it is natural to intercept and modify data. For example, in privoxy USE=zlib allows to unpack and filter zlib data, the same with USE=brotli and brotli-compressed data; so USE=ssl is no different here: it allows users to filter SSL traffic by setting up their own CA (which must be trusted on clients of course), decrypting and filtering SSL connections in privoxy and encrypting data between privoxy and end users using custom CA. I can set USE="-ssl" by default. Will this help with your automated setup?
(In reply to Andrew Savchenko from comment #6) > (In reply to Sam James from comment #4) > > If upstream prefer mbedtls, please just enable that. This sort of thing > > makes automated testing (and life for users) unnecessarily frustrating. > > Automated testing can be fixed. Users need to be careful with this flag, so > it works as expected. No, it doesn't. If users are asked to choose between mbedtls and openssl, they choose between mbedtls and openssl. They don't perform deep research whether USE=ssl could magically do something unusual. > I can set USE="-ssl" by default. Will this help with your automated setup? https://devmanual.gentoo.org/general-concepts/use-flags/index.html#iuse-defaults
(In reply to Michał Górny from comment #7) > (In reply to Andrew Savchenko from comment #6) > > (In reply to Sam James from comment #4) > > > If upstream prefer mbedtls, please just enable that. This sort of thing > > > makes automated testing (and life for users) unnecessarily frustrating. > > > > Automated testing can be fixed. Users need to be careful with this flag, so > > it works as expected. > > No, it doesn't. If users are asked to choose between mbedtls and openssl, > they choose between mbedtls and openssl. They don't perform deep research > whether USE=ssl could magically do something unusual. Gentoo developers should not decide for users what to do or why to do, they should provide means for making choise. I'm doing just this. > > I can set USE="-ssl" by default. Will this help with your automated setup? > > https://devmanual.gentoo.org/general-concepts/use-flags/index.html#iuse- > defaults The only real problem in this bug that REQUIRED_USE in privoxy hinders automated testing software. I'm not privy to details of the setup of that software, so I may only guess what measure may be effective on what not. If such software uses repo-level changes with USE=ssl then proposed change would be useful (according to the man make.conf USE_ORDER = "env:pkg:conf:defaults:pkginternal:features:repo:env.d", so pkginternal > repo). The following two statements are conflicting: > and stop requiring all Gentoo users to hit REQUIRED_USE conflicts. ... > vs a package almost nobody on Gentoo uses Because package's REQUIRED_USE affects only users of a package (including any automation if it tries to use this package). So please elaborate with automated testing setup details.
(In reply to Andrew Savchenko from comment #8) > Gentoo developers should not decide for users what to do or why to do, they > should provide means for making choise. I'm doing just this. This is non-sense. Gentoo developers are supposed to provide good defaults when it makes sense, not force every user to hand-pick every possible option. Stop harming Gentoo by playing your own private distro inside it.
(In reply to Michał Górny from comment #9) > (In reply to Andrew Savchenko from comment #8) > > Gentoo developers should not decide for users what to do or why to do, they > > should provide means for making choise. I'm doing just this. > > This is non-sense. Gentoo developers are supposed to provide good defaults > when it makes sense, not force every user to hand-pick every possible > option. And privoxy has good and reasonable defaults: ssl in not forced out of the box. > Stop harming Gentoo by playing your own private distro inside it. I'm protecting Gentoo user's freedom of choise from openssl enforcement on every corner. Anyway I'm recommending you to stay professional and technical and provide necessary automated testing details requested above. Without knowing what is exactly wrong with automated testing, I can't tweak package to workaround that. Is the problem with REQUIRED_USE triggering with USE="openssl mbedtls"? I can rewrite ebuild without REQUIRED_USE for ssl with a warning on openssl being disabled when both USE flags are present.
(In reply to Andrew Savchenko from comment #10) > And privoxy has good and reasonable defaults: ssl in not forced out of the > box. Wrong. USE=ssl is enabled by Linux profiles. > > Stop harming Gentoo by playing your own private distro inside it. > > I'm protecting Gentoo user's freedom of choise from openssl enforcement on > every corner. No, you're abusing your maintainer status to push your own preferences against packaging consistency in Gentoo. > Is the problem with REQUIRED_USE triggering with USE="openssl mbedtls"? I > can rewrite ebuild without REQUIRED_USE for ssl with a warning on openssl > being disabled when both USE flags are present. No, the first problem is that the default profile enables USE=ssl but neither USE='openssl mbedtls'. The second problem is that you've deliberately forcing users into meaningless REQUIRED_USE conflicts against Gentoo good practices.
(In reply to Michał Górny from comment #11) > (In reply to Andrew Savchenko from comment #10) > > And privoxy has good and reasonable defaults: ssl in not forced out of the > > box. > > Wrong. USE=ssl is enabled by Linux profiles. It's up to the users what profile to select and what flags to override. > > > Stop harming Gentoo by playing your own private distro inside it. > > > > I'm protecting Gentoo user's freedom of choise from openssl enforcement on > > every corner. > > No, you're abusing your maintainer status to push your own preferences > against packaging consistency in Gentoo. I'm following "stay close to upstream" good practice. > > Is the problem with REQUIRED_USE triggering with USE="openssl mbedtls"? I > > can rewrite ebuild without REQUIRED_USE for ssl with a warning on openssl > > being disabled when both USE flags are present. > > No, the first problem is that the default profile enables USE=ssl but > neither USE='openssl mbedtls'. The second problem is that you've > deliberately forcing users into meaningless REQUIRED_USE conflicts against > Gentoo good practices. OK, I'll enable mbedtls by default if ssl is enabled.
(In reply to Andrew Savchenko from comment #12) > (In reply to Michał Górny from comment #11) > > (In reply to Andrew Savchenko from comment #10) > > > And privoxy has good and reasonable defaults: ssl in not forced out of the > > > box. > > > > Wrong. USE=ssl is enabled by Linux profiles. > > It's up to the users what profile to select and what flags to override. Do you really want to get into a discussion about what percentage of users will have a linux profile enabled and how it is a good use anyone's time to present them with n default REQUIRED_USE conflicts (think if everyone did that)?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3c965d37acea5479b08abcbeb0bc05d1aa0a0a2 commit a3c965d37acea5479b08abcbeb0bc05d1aa0a0a2 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-01-07 15:27:25 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-01-07 15:30:27 +0000 net-proxy/privoxy: enable mbedtls by default In order to avoid REQUIRED_USE conflict on default Linux profile mbedtls is enabled as default ssl implementation, but both mbedtls and openssl are ignored if ssl support is disabled. Closes: https://bugs.gentoo.org/764248 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-proxy/privoxy/privoxy-3.0.29.ebuild | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)
