As part of a regular gnome install, I need to unset recursion-limit on dev-libs/libpcre2 The following USE changes are necessary to proceed: (see "package.use" in the portage(5) man page for more details) # required by gui-libs/gtksourceview-5.4.0::gentoo # required by gnome-extra/gnome-calculator-42.0::gentoo # required by gnome-base/gnome-extra-apps-40.0::gentoo # required by gnome-base/gnome-40.0::gentoo[extras] # required by @kobboi-package-nice-desktop # required by @kobboi-machine-samsonov # required by @kobboi-all-machines # required by @kobboi-all-packages # required by @selected # required by @world (argument) >=dev-libs/libpcre2-10.39 -recursion-limit Not sure what the policy is making such a change in a profile or even a package, but from discussing with leio: (12:55:34) leio: there were no objections on IRC on just dropping this legacy USE=recursion-limit with no good reasoning given, but I didn't follow-up on it yet with a bugzilla entry or more poking to get it removed by base-system@ (12:56:29) leio: I wasn't aware it got unmasked without that (12:58:47) leio: floppym_ and sam_ should know what's up, maybe a bug to make sure it gets sorted So here's the bug :) Reproducible: Always
Consider libpcre as well, which has the same unexplained legacy limitation. Albeit maybe there the security considerations are more real, dunno. For GNOME we need to get rid of it on libpcre2 or at least significantly increase the limit from USE=recursion-limit from current 8k to at least 4 times more, but probably more like 10+ times more to be safe. Looked like making it just always do what upstream would do (MATCH_LIMIT instead of 8096), at least for libpcre2, had an initial agreement, hence I had made gtksourceview have a "libpcre2[-recursion-limit(-)]" dep already
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713db8fe4e7363c39fadb7e10396e8d32b519ab1 commit 713db8fe4e7363c39fadb7e10396e8d32b519ab1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-03-22 14:27:08 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-03-22 15:12:42 +0000 dev-libs/libpcre2: drop 'recursion-limit' USE flag Closes: https://bugs.gentoo.org/835796 Signed-off-by: Mike Gilbert <floppym@gentoo.org> dev-libs/libpcre2/{libpcre2-10.39.ebuild => libpcre2-10.39-r1.ebuild} | 3 +-- dev-libs/libpcre2/metadata.xml | 4 ---- 2 files changed, 1 insertion(+), 6 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f140c24292730f0fc225ff6683589fc84d63a45 commit 0f140c24292730f0fc225ff6683589fc84d63a45 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-03-22 14:29:43 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-03-22 15:12:42 +0000 dev-libs/libpcre: drop 'recursion-limit' USE flag Bug: https://bugs.gentoo.org/835796 Signed-off-by: Mike Gilbert <floppym@gentoo.org> dev-libs/libpcre/{libpcre-8.45.ebuild => libpcre-8.45-r1.ebuild} | 5 ++--- dev-libs/libpcre/metadata.xml | 4 ---- 2 files changed, 2 insertions(+), 7 deletions(-)
Some more context from #gentoo-base (before Kobboi's snippet from #gentoo-desktop): """ [17:37:55] <+leio> !meta -v libpcre2 [17:37:56] <willikins> leio: dev-libs/libpcre2; maintainers: base-system [17:37:57] <willikins> leio: (base-system@gentoo.org) chutzpah, dilfridge, floppym, gyakovlev, mattst88, robbat2, sam, soap, vapier, whissi, williamh, zlogene [17:38:08] <+leio> what's the story with libpcre2 default USE=recursion-limit? [17:38:24] <+leio> I'm hitting https://gitlab.gnome.org/GNOME/gtksourceview/-/issues/255 due to it [17:39:13] <@sam_> https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libpcre2?id=007fa4785d2ab60f839db2c84d850920e6d59604 [17:39:18] <@sam_> been that way since addition [17:40:10] <+leio> it is carried over from libpcre [17:40:32] <+leio> where it was introduced before git [17:43:49] <+leio> https://gitweb.gentoo.org/repo/gentoo/historical.git/commit/?id=c515e5fab4f478dccf4089f49b67b6de886ba567 [17:44:13] <+leio> https://bugs.gentoo.org/333355 [17:44:22] <+leio> so then it was made an option to stop enforcing the low recursion limit [17:45:06] <+leio> why do we default to something other than upstream here, and why do we provide an option at all on this? [17:48:22] <@floppym> Very useful message by solar: https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=f1bcab5c478664dc2a701d901e0dc8534a0f036e [17:49:43] <@floppym> https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=902be2104016ab20b5ac5196b85d0fc7da123509 [17:50:34] <@floppym> My only guess is that setting a limit prevents broken software from triggering infinite recursion. [17:51:42] <+leio> there's still a limit, 1 million or something [17:51:47] <@floppym> The upstream default appears to be 10000000. [17:52:05] <+leio> ok, 10 million [17:52:43] <@floppym> I don't see any references to relevant security bugs, so I think removing the flag and going with the upstream default would be fine. [17:52:53] <@mattst88> ++ [17:53:47] <+leio> the test starts to pass if I raise it to 32768 (4 times bigger); still failed if made 16384 [17:54:48] <@sam_> neither debian nor fedora bother with it either [17:57:15] <+leio> it's there for libpcre (1) too [21:02:53] <+leio> regarding libpcre2, I'm going to hard require libpcre2[-recursion-limit(-)] and it'll be extremely fun for users with gnome 42 then. I'll try to remember about filing bug tomorrow if someone doesn't follow up without meanwhile """
