Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 705394 - profiles/package.mask is masking security holes when infinitely "testing"
Summary: profiles/package.mask is masking security holes when infinitely "testing"
Alias: None
Product: Quality Assurance
Classification: Unclassified
Component: Disputes/raising issues (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Quality Assurance Team
Depends on:
Reported: 2020-01-14 06:37 UTC by Ulenrich
Modified: 2021-07-21 01:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ulenrich 2020-01-14 06:37:47 UTC
An horrible example at first:
--- profiles/package.mask
# Matti Bickel <> (2014-04-22)
# Masked slotted lua for testing
# William Hubbs <> (2016-08-07)
# Taking this mask since Mabi is retired
# Rafael Martins <> (2016-12-04)
# Adding Lua 5.3 to mask

# Samuli Suominen <> (2012-03-06)
# Masked for testing since this is known to break nearly
# every reverse dependency wrt bug 407091

stable dev-lang/lua-5.1.5 was released upstream:
--- 17 Feb 2012
    Lua 5.1.5 released. This is a bug-fix release. 

Gentoo has an official release for _testing_
It is called "Gentoo unstable" ! 
Instead of using the _unstable_ release as supposed,
we get 4 version bumps of other packages masked,
because of a missing (masked) Lua version.
In essence, because the testing-mask of Lua
other packages cannot be tested with new versions.

I suggest:
Ban the wrong wording "masked for testing"
( _testing_ is the Gentoo unstable release!)
instead suggest "masked for experiments"
and _limit_ an experimental period 
4 weeks of 4 months but not 8 years!

I came to this story lately, because my computer got frozen several times.
I had activated the USE=lua in media-video/mpv shortly before ... and saw
me using the ten years old scripting machine of Lua.
Comment 1 Ulenrich 2020-01-14 06:57:29 UTC
Further: In front of profiles/package.mask 
should be placed an explanation as follows:
When a version is "masked for experiments"
you can help providing a bunch of users 
getting a better Gentoo experience by doing
your experiments with that version, because
after #TimePeriod all of Gentoo users have 
to experiment otherwise.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-14 07:50:55 UTC
See also
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-14 08:56:42 UTC
I've proposed a few times that we should drop this failed experiment and let people start over.
Comment 4 Ulenrich 2020-01-14 10:43:27 UTC
When comparing with Debian, they have one "state" more than we have:

A) Debian-experimental==package.mask/unkeyworded a very new project arrives
B) Debian-unstable==Gentoo.unstable, but package is whacky (really is unstable)
C) Debian-testing==Gentoo.unstable, package is on its way getting stable status
D) Debian-stable==Gentoo.stable + we are rolling the release!

B) is the moment, 
when a Gentoo maintainer decides to package.mask the keyworded new version of a package, because they know many users allow unstable packages, because they want the new hot thing, but expect it to be usable (like Debian-testing)
If we don't want the effort of an additional Gentoo release, we could introduce an additional list positioned in profiles/ - or better:
An additional portage flag (experiment-with-me) could allow these ebuilds or is an additional package.mask list. Emerge, when allowed "experiment-with-me" and using an version mentioned in this list, could display a purpose for the experiment:
"unstable warning: please test this version of lua-xy with media-video/mpv"
Otherwise the new list is just added to the old package.mask internally.

... this just is an idea how to encourage maintainers to let users experiment.
Comment 5 Ulenrich 2020-01-14 11:19:10 UTC
Indeed, the new list should be named

as it should be handled exactly like package.mask
but makes a different purpose of the mask explicit.
A user masking a version should not be surprised,
because the version keeps masked status.

The maintainer can introduce a new version for a few days in
The moment he knows the limitations of the ebuild better, he 
can express exactly a pointed warning for the users and push 
the ebuild for a wider audience into