"emaint -f binhost" leaks settings of the main system into the package file in PKGDIR. For an example see https://gentoo.osuosl.org/releases/s390/binpackages/17.0/s390/Packages The packages have been built natively on s390, where also the initial package index is generated. Above is what results after signing some packages and then calling "emaint -f binhost" for the directory on an amd64-hardened machine. The starting lines of the file are a rather silly mix. Stars "**" added by me. ** ACCEPT_KEYWORDS: amd64 ACCEPT_LICENSE: @FREE @FREE @BINARY-REDISTRIBUTABLE vim.org as-is ACCEPT_PROPERTIES: * ACCEPT_RESTRICT: * ** ARCH: amd64 ** CBUILD: x86_64-pc-linux-gnu CHOST: s390-ibm-linux-gnu CONFIG_PROTECT: /etc /usr/share/gnupg/qualified.txt CONFIG_PROTECT_MASK: /etc/ca-certificates.conf /etc/dev.d /etc/env.d /etc/gconf /etc/gentoo-release /etc/init.d /etc/revdep-rebuild /etc/sandbox.d /etc/scsi_id.config /etc/terminfo /etc/udev ELIBC: glibc FEATURES: assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg buildpkg-live compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms split-elog split-log splitdebug strict unknown-features-warn unmerge-orphans userfetch userpriv usersandbox usersync xattr GENTOO_MIRRORS: https://gentoo.osuosl.org/ https://distfiles.gentoo.org/ INSTALL_MASK: /lib*/firmware/amdgpu/* /lib*/firmware/ar3k/* /lib*/firmware/ath*k* /lib*/firmware/*dvb* /lib*/firmware/i2400m* /lib*/firmware/i6050* /lib*/firmware/i915/* /lib*/firmware/iwlwifi* /lib*/firmware/libertas/* /lib*/firmware/matrox/* /lib*/firmware/mediatek/* /lib*/firmware/mwl8k/* /lib*/firmware/mwlwifi/* /lib*/firmware/netronome/* /lib*/firmware/nvidia/* /lib*/firmware/radeon/* /lib*/firmware/rtl_bt/* /lib*/firmware/rtlwifi/* /lib*/firmware/rtw88/* /lib*/firmware/ueagle-atm/* /lib*/firmware/v4l-* IUSE_IMPLICIT: abi_x86_64 prefix prefix-guest prefix-stack KERNEL: linux PACKAGES: 329 ** PROFILE: default/linux/amd64/17.0/hardened TIMESTAMP: 1692264326 ** USE: abi_x86_64 acl ada_target_gnat_2021 amd64 apache2 apache2_modules_access_compat apache2_modules_actions apache2_modules_alias apache2_modules_asis apache2_modules_auth_basic ...
PS. I haven't actually seen any negative impact of this. Still...
Making this block gentoo-binhost since we should maybe at least poke it a little bit...
I'm not sure if this is intentional or not. I guess it's wrong because you're just regenerating it from the host, even though it got built natively on s390, rather than cross-built binpkgs. Zac?
We should be able to drop anything not related to bug 640318 or bug 644990.
Some miscellaneous things were exposed here: https://gitweb.gentoo.org/proj/portage.git/commit/?id=80df4d593c66a45d855c1986bae3328a866318c7 commit 80df4d593c66a45d855c1986bae3328a866318c7 Author: Zac Medico <zmedico@gentoo.org> Date: 2007-06-01 01:50:06 +0000 Add some additional variables to the Packages header. svn path=/main/trunk/; revision=6705