On 02/03/2017 01:12 AM, Walter Dnes wrote:
On Thu, Feb 02, 2017 at 01:01:52PM -0500, Rich Freeman wrote
Is there a better way we can have our cake and eat it too? I'll admit
that a huge package.use on the minimal profile isn't a whole lot
better than a huge package.use on all the other profiles.
Do we need another form of syntax in individual ebuilds to try to
separate out the various cases you cite? Does anybody care to
actually suggest one?
I still think that we shouldn't encourage users to lightly deviate
from all the upstream defaults. There are of course legitimate
reasons for doing so, and you and I can probably appreciate when we
should do this, but for somebody starting out we're giving them a lot
of rope to hang themselves with.
The "case" for IUSE often depends on a fallacious strawman argument
about USE="-*". The strawman argument is that people run with the USE
variable in make.conf consisting of "USE=-*" and that every package
requires an entry in package.use WRONG! WRONG! WRONG! That is a braindead
approach. The way I recommend doing it is...
USE="-* fu bar blah blah blah"
...where commonly-used flags are included in USE. My rule-of-thumb is
Given that
* not including a flag in USE requires X entries adding it in package.use
* including a flag in USE requires Y entries negating it in package.use
If ( X > Y ) then
include the the flag in USE
else
do not include the the flag in USE
end if
I effectively "build my own profile" rather than depend on multiple
levels of inheritance. My current desktop runs with the following USE
flags...
USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg threads webp
-acl -berkdb -caps -cracklib -crypt -filecaps -gallium -gdbm -graphite -gstreamer -iconv
-introspection -ipc -iptables -ipv6 -libav -llvm -manpager -nls -openmp -pam -pch
-sendmail -tcpd -udev -unicode -xinerama"
Note all the negative flags. I'll try installing uclibc to a laptop
one of these days. I figure that it'll probably have a shorter USE line
if I start USE with "-*", and I will not have a larger package.use file.
+1
I've used Gentoo since 2004. I started down the minimal flag path, first
building iptables-based firewalls on gentoo. So that would be a
(minimal)base+iptables profile. My historical experience is that flag
negation has been a "dirty function" over the years; i.e. not consistent
sometimes, across time. That has resulted in a variety of flag negation
strategies to "tweek" the final results, seemingly more of an art form
with hidden tricks, and a robust (documented) semantic. Most hard to
track down problems were in the actual packages (ebuild) as we have
danced across EAPI standards all the way back to no EAPI standards and a
weak complement of documentation.
This happened because of 'package creep' or just needing/wanting to add
more and more codes to the firewalls. So now, my firewalls range from
truly minimal, all the way to enhancements that supercede suricata. So
imagine flags are a giant 'sparse matrix' that I need to 'mollify'
individually periodically, then run CI on that complete-set of packages,
and then test against automated attack vectors.
With CI, in a stage-4 install, we minimalist could test the our
collective of (minimized flag) packages and do our own CI. Even perhaps
sharing the result of our CI testing of such minimized systems when a
gentoo mechanism is available that can handle such massive amounts of
data. I proposed this (CI-stage-4) a while back in a gentoo-dev thread
and so here we are, again. Granted, this in-house gentoo-CI work was not
ready for such wider usage, when I last looked, but it will go a long
way in providing a robust tool for minimalist. Many are getting into the
minimalist systems, for security reasons too.
My needs, on the surface, may(maynot) appear to diverge from Walts, but
I surely hope that whatever the consensus solution is, at least for now,
it is flexible enough to coalesce all of the various minimalist into the
same area of the profile tree. We can then share ideas and results of
testing.
I really need to apologize to many devs. But, I'm getting very close to
having something absolutely wonderful, about 90% thanks to the gentoo
devs. I do not want to appear to be childish throwing a tantrum about
this, but, well, I just really cannot help it; as y'all can imagine?
hth,
James
