Walter Dnes posted on Mon, 31 Dec 2012 01:44:25 -0500 as excerpted:

> Moving USE flags from local to global status is frequently discussed
> here, so this seems to be the right forum to raise the issue...
> 
> [d531][waltdnes][~] grep suid /usr/portage/profiles/use.desc
> suid - Enable setuid root program, with potential security risks
> 
> [d531][waltdnes][~] grep :suid /usr/portage/profiles/use.local.desc
> [several package hits]

This is now routine.  Try it with the "bindist" USE flag (and see the 
current thread), for instance.

Promoting a flag to global does mean it gets a global description in 
use.desc, but per package descriptions (as now maintained in the per-
package metadata.xml files, but there's a tree maintenance script that 
keeps use.local.desc current based on the metadata files, to keep the 
tools using it working) continue to be encouraged where they are useful, 
as they can often provide much more detailed per-package descriptions of 
what the flag actually does in that specific package, than the global 
description can.

>   BTW, I would've appreciated a headsup (news item) on Xorg getting the
> "suid" USE flag.  I use startx, and I couldn't start X <G>. 

OTOH, I followed the gentoo recommendation to do a dry run (emerge --
pretend or --ask) and actually LOOK at what's changing in terms of USE 
flags, etc, look any of the new ones up I'm not sure on (equery uses 
<pkg> in another terminal works), then if necessary, say "no" to the --
ask and make USE flag changes, etc, before going ahead with the "live" 
run.

As such, I saw the change (which is even colored differently so it's easy 
to pick out), did a quick equery uses xorg-server in a different window 
to see what was going on, and decided to go ahead.  In my case, I didn't 
have USE=suid set at all in make.conf, so the xorg-server ebuild's use-
default to ON was in effect, and I didn't have a problem.

(I was curious, however, as I'd been reading about running X as non-root, 
and after seeing that the upgrade did work with the same SUID executable 
it had before, I remerged without SUID to try it out, much faster the 
second time with ccache and since I wasn't doing other builds at the same 
time.  THEN I ran into the problem you did, but that was the only change 
I made and it was deliberate, so I knew the problem and could immediately 
undo it.)

Gentoo isn't a hand-holding distro.  The changes were there to be seen in 
the recommended emerge --pretend or --ask, and adjusted if needed before 
hand, and you chose not to take advantage of that.  I guess some people 
just have to find out the hard way why such recommendations are there.

Of course, if you prefer a distro that makes such decisions (and takes 
responsibility for them accordingly) for you, there's plenty of distros 
around that offer more of that than gentoo does.  If you don't have the 
time or patience to do the dry-runs and check changes before going thru 
with them, perhaps one of those would be more appropriate.  There's no 
shame in deciding that gentoo's simply not an appropriate distro for your 
needs, and choosing one of the others instead.

All that said, more documentation and warning wouldn't have hurt, and the 
news feature was designed for exactly this sort of thing.  Except that 
the package maintainer has to think of it, and I guess they didn't in 
this case.  But it still shouldn't have been a problem as a responsible 
admin had plenty of warning already, via the USE flag change itself.

> Fortunately,
> that was on my netbook, and I was able to Google the solution on my
> desktop machine... http://en.spontex.org/forum/thread/561/1/  I'm
> posting a heads up on the user list.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman


Reply via email to