Summary: | dev-libs/libgcrypt - please add static-libs to IUSE defaults | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jorge Manuel B. S. Vicetto <jmbsvicetto> |
Component: | New packages | Assignee: | Crypto team [DISABLED] <crypto+disabled> |
Status: | VERIFIED WONTFIX | ||
Severity: | normal | CC: | jdavid.ibp, mr_bones_, reavertm, releng |
Priority: | High | ||
Version: | autobuilds | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jorge Manuel B. S. Vicetto (RETIRED)
2011-01-21 01:15:16 UTC
InCVS. @release team Is it possible to add 'dev-libs/libgcrypt static-libs' to /etc/portage/package.use of installcd-stage1 instead? Reopening. Please next time provide a reasoning before reopening a bug assigned to another team, when said team was okay with the original resolution, as well as the reporter. Reasoning is obvious: said package configuration is required only for stage1 building and not for default end-user deployment. Enabling static libs for security library makes it possible for certain specific buildsystems to pick up static lib by default on emerge (when both static and shared are available), causing libgcrypt to be linked statically. Security fixes to libgrypt will not propagate to client software automatically in such case. Given that no difference applies from what we had _before_ introducing static-libs, your reasoning is way too general. Do you have an example of one particular case of a package mistakenly linking to libgcrypt statically instead of dynamically? If not, I don't see any high risk in security. Also, I'd like to point out to you that this is not the first package with a default-enabled static-libs USE flag; beside the high-number of packages that simply don't give you a choice and force you to install both. And number of those is gradually being reduced. Maybe it's better not to reintroduce static libs just in any case if there are simple means (provided there are that is, hence my question to release/catalyst team) to avoid requiring them. We don't use a custom /etc/portage/* in stage building. In this case, we might instead just enable the static-libs use flag globally for the install-cd. As requested by Arfrever, I'm adding a note here. I remove my request in this bug to add static-libs to IUSE defaults as it doesn't work for the ISO building. I forgot we have USE="-*" on installcd-stage1 specs, so IUSE defaults end up being override by the specs. To fix the issue caused by the dependency on dev-libs/libgcrypt[static-libs], I instead added static-libs to the list of USE flags in the installcd-stage1 specs. Sorry for the extra work and thanks for your quick reaction. I have reverted that change due to comment #9. But then, users cannot emerge cryptsetup again. We can add statics-libs to the package.use file for libgcrypt, but then why not add it by default. libgcrypt MUST be static until cryptsetup can be dynamic. $ emerge -vp cryptsetup These are the packages that would be merged, in order: Calculating dependencies... done! emerge: there are no ebuilds built with USE flags to satisfy "dev-libs/libgcrypt[static-libs]". !!! One of the following packages is required to complete your request: - dev-libs/libgcrypt-1.4.6 (Change USE: +static-libs) (dependency required by "sys-fs/cryptsetup-1.1.3-r3" [ebuild]) (dependency required by "cryptsetup" [argument]) (In reply to comment #11) > users cannot emerge cryptsetup again. Users should configure their systems in the way appropriate for them. Personally I use sys-fs/cryptsetup with USE="-static". Many users need dev-libs/libgcrypt not for sys-fs/cryptsetup, but for other packages (e.g. app-crypt/gnupg). (In reply to comment #12) > (In reply to comment #11) > > users cannot emerge cryptsetup again. > > Users should configure their systems in the way appropriate for them. > Personally I use sys-fs/cryptsetup with USE="-static". Many users need > dev-libs/libgcrypt not for sys-fs/cryptsetup, but for other packages (e.g. > app-crypt/gnupg). cryptsetup doesn't have "static" in stable version (1.1.3-r3), but "dynamic", which is unset by default. With unstable version of cryptsetup (1.2.0-r1) is even worse, as it has "+static", so you cannot disable it and you MUST enable "static-libs" in libgcrypt. And almost everybody has cryptsetup installed, as it is needed by hal with the USE flag "crypt" (which is the default). I think that if cryptsetup have +static, libgcrypt should also have it. (In reply to comment #13) > With unstable version of cryptsetup (1.2.0-r1) is even worse, as it has > "+static", so you cannot disable it # echo "sys-fs/cryptsetup -static" >> /etc/portage/package.use (In reply to comment #14) > (In reply to comment #13) > > With unstable version of cryptsetup (1.2.0-r1) is even worse, as it has > > "+static", so you cannot disable it > > # echo "sys-fs/cryptsetup -static" >> /etc/portage/package.use > You're right. I though "+static" has precedence over the package.use file, but I was wrong. Anyway you cannot even do "emerge system" in an empty box without creating a package.use file. I think this is not good. |