Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 344373 - net-irc/quassel dependency changed to dev-db/sqlite[-secure-delete], which conflicts to net-libs/xulrunner[system-sqlite] dependency on dev-db/sqlite[secure-delete]
Summary: net-irc/quassel dependency changed to dev-db/sqlite[-secure-delete], which co...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Tomáš Chvátal (RETIRED)
URL: http://sources.gentoo.org/cgi-bin/vie...
Whiteboard:
Keywords:
: 551018 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-11-06 12:11 UTC by Cyprien Nicolas (fulax)
Modified: 2020-06-21 00:53 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Quassel ebuild without -secure-delete on sqlite (quassel-0.7.2.ebuild,4.54 KB, text/plain)
2011-04-10 17:16 UTC, Awad Mackie
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Cyprien Nicolas (fulax) 2010-11-06 12:11:13 UTC
Hi, I just synced my portage tree, and when running the classical emerge -DuNa @world, I ran in the following:

emerge: there are no ebuilds built with USE flags to satisfy "dev-db/sqlite[threadsafe,-secure-delete]".
!!! One of the following packages is required to complete your request:
- dev-db/sqlite-3.7.3 (Change USE: -secure-delete)
(dependency required by "net-irc/quassel-0.7.1" [installed])
(dependency required by "@selected")
(dependency required by "@world" [argument])

But net-libs/xulrunner requires dev-db/sqlite to be compiled with USE=secure-delete (for obvious security reasons).

AFAIK, the fact sqlite is compiled with secure-delete does not enforce apps depending on sqlite to suffer from it, if they don't explicitly request this feature...

Can scarabeus be more precise about the change 1.5 in the bug URL?

Thanks
Comment 1 Daniel Pielmeier gentoo-dev 2010-11-06 13:03:53 UTC
net-libs/xulrunner only requires dev-db/sqlite to be compiled with
USE=secure-delete if you use system-sqlite
Comment 2 Cyprien Nicolas (fulax) 2010-11-06 13:18:28 UTC
(In reply to comment #1)
> net-libs/xulrunner only requires dev-db/sqlite to be compiled with
> USE=secure-delete if you use system-sqlite
> 

You're right, I edited the summary to reflect this fact.
Comment 3 Awad Mackie 2010-12-29 01:41:21 UTC
Now also affects www-client/chromium with USE="system-sqlite"
Comment 4 Awad Mackie 2011-04-10 17:16:23 UTC
Created attachment 269343 [details]
Quassel ebuild without -secure-delete on sqlite

Just tested the attached ebuild after re-emerging sqlite with secure-delete and quassel as well. Both client and core seem to work on a quick test, any other things to try?
Comment 5 Tomáš Chvátal (RETIRED) gentoo-dev 2011-04-10 19:22:15 UTC
Damn i thought i already replied to this.

Within sqlite there is switch that makes all deletes really secure but damn slow, by slow i mean that all the operations are at ~10-30% of its speed.

This switch can be enabled on runtime, but some crazy upstreams decided that sqlite must be secure always so thus there is secure-delete useflag. If it is enabled it enforces the feature every time making it slow all the time.

Now as you can see your client/server will work, but it will be shit-ass slow on quite few operations.

I really don't plan or want to fix this (you still can use non-system sqlite by those packages or better persuade the upstream to stop being stupid and use runtime options when they are availible).
Comment 6 Awad Mackie 2011-04-10 22:29:18 UTC
(In reply to comment #5)
> Damn i thought i already replied to this.
> 
> Within sqlite there is switch that makes all deletes really secure but damn
> slow, by slow i mean that all the operations are at ~10-30% of its speed.
> 
> This switch can be enabled on runtime, but some crazy upstreams decided that
> sqlite must be secure always so thus there is secure-delete useflag. If it is
> enabled it enforces the feature every time making it slow all the time.
> 
> Now as you can see your client/server will work, but it will be shit-ass slow
> on quite few operations.
> 
> I really don't plan or want to fix this (you still can use non-system sqlite by
> those packages or better persuade the upstream to stop being stupid and use
> runtime options when they are availible).

Okay, thanks for clearing that up. Should have realized this, I've come across it before.
Comment 7 Diogo Pereira 2011-06-19 01:11:34 UTC
Tomáš, can you please reopen and fix this?

I have been using Quassel for a few weeks with secure-delete enabled and it works very well for me.

You can always add an ewarn if you really feel that it is necessary. A dependency is too harsh.
Comment 8 Jaak Ristioja 2011-06-19 06:17:41 UTC
In my humble opinion, the correct solution would be to make secure deletion in dev-db/sqlite an option at run-time rather than at compile-time. This would make it possible to enable/disable secure deletion on a per-ebuild basis, or indeed at run-time.
Comment 9 Diogo Pereira 2011-06-19 07:57:05 UTC
(In reply to comment #8)
> In my humble opinion, the correct solution would be to make secure deletion in
> dev-db/sqlite an option at run-time rather than at compile-time. This would
> make it possible to enable/disable secure deletion on a per-ebuild basis, or
> indeed at run-time.

There is a way to change it at run-time (PRAGMA secure_delete), the problem is that Firefox upstream refuses to do it at run-time and instead insists that SQLite must default to secure-delete=true, to save on their typing.

So, because Firefox doesn't want to request non-standard behavior at run-time, everyone else is forced to request standard behavior at run-time.

Anyway, this has been discussed at length before, both here and at Mozilla, and is not likely to change anytime soon. The only thing I'm asking here is that we don't make a bad situation worse. I'd rather take the performance hit than use FF's bundled libs, and anyone who sets USE=secure-delete probably feels the same.
Comment 10 Jaak Ristioja 2011-06-19 22:47:04 UTC
(In reply to comment #9)
> There is a way to change it at run-time (PRAGMA secure_delete), the problem is
> that Firefox upstream refuses to do it at run-time and instead insists that
> SQLite must default to secure-delete=true, to save on their typing.
> 
> So, because Firefox doesn't want to request non-standard behavior at run-time,
> everyone else is forced to request standard behavior at run-time.
> 
> Anyway, this has been discussed at length before, both here and at Mozilla, and
> is not likely to change anytime soon. The only thing I'm asking here is that we
> don't make a bad situation worse. I'd rather take the performance hit than use
> FF's bundled libs, and anyone who sets USE=secure-delete probably feels the
> same.

I'd trust the sqlite developers on this matter. According to http://www.sqlite.org/compile.html they default to not using secure-delete. And for good reasons, I suppose.

I believe the right thing to do were to patch Firefox/Icecat regardless of upstream being cocky on this matter. It is rather evident that they would only benefit from the performance gain of using PRAGMA secure_delete at runtime where needed.

Does Gentoo even need Mozilla's permission for this or are we dealing with Free Software here?
Comment 11 Diogo Pereira 2011-06-19 23:43:40 UTC
(In reply to comment #10)
> I believe the right thing to do were to patch Firefox/Icecat regardless of
> upstream being cocky on this matter.

The Mozilla herd doesn't want to do it. See bug 304913.
Comment 12 Richard Freeman gentoo-dev 2013-05-03 10:31:01 UTC
So, I understand why the secure-delete implementation in sqlite is dumb.

What I don't understand is why it is a dependency for quassel.  Yes, it doesn't work as well with it enabled.  Neither does any other package that depends on sqlite.  

This really seems to me like a valid bug.  By all means ewarn if it has an unusually significant impact on sqlite, or just einfo to point it out in case the user set it inadvertently.  However, it should not be a blocker for installation.
Comment 13 Tomáš Chvátal (RETIRED) gentoo-dev 2013-05-03 12:12:14 UTC
(In reply to comment #12)
> So, I understand why the secure-delete implementation in sqlite is dumb.
> 
> What I don't understand is why it is a dependency for quassel.  Yes, it
> doesn't work as well with it enabled.  Neither does any other package that
> depends on sqlite.  
> 
> This really seems to me like a valid bug.  By all means ewarn if it has an
> unusually significant impact on sqlite, or just einfo to point it out in
> case the user set it inadvertently.  However, it should not be a blocker for
> installation.

Dunno if word TOO slow is not for you. But simply it is not working well with it enabled. Yes it will install but produce various runtime issues, so it is up to you to deal with the problems yourself. Problem is on mozilla side not here. THe secure-delete should never be useflagged as it is brainead idea.
Comment 14 Richard Freeman gentoo-dev 2013-05-03 12:44:35 UTC
(In reply to comment #13)
> Dunno if word TOO slow is not for you. But simply it is not working well
> with it enabled. Yes it will install but produce various runtime issues, so
> it is up to you to deal with the problems yourself. Problem is on mozilla
> side not here. THe secure-delete should never be useflagged as it is
> brainead idea.

I'll agree that it is a braindead idea.

I just checked and it seems like the packages I was aware of which required it to be set are gone now, so this might be moot.  If it ever becomes non-moot it might be worth some thought, but no sense debating hypotheticals.
Comment 15 Johannes Huber (RETIRED) gentoo-dev 2015-08-08 13:01:47 UTC
*** Bug 551018 has been marked as a duplicate of this bug. ***
Comment 16 Diogo Pereira 2015-08-08 17:19:22 UTC
I don't use this anymore but...

(In reply to Tomáš Chvátal from comment #13)
> Dunno if word TOO slow is not for you. But simply it is not working well with it enabled.

It was not too slow for me. It worked well with it enabled. It should be obvious, but whether it is too slow or not is completely dependent on hardware, usage and expectations, like pretty much every other program.

> Problem is on mozilla side not here. 

There is a problem on the Mozilla side, and there is a different, completely artificial problem here that you created all by yourself.

> THe secure-delete should never be useflagged as it is brainead idea.

So is making Quassel depend on -secure-delete.