On 10/19/2013 08:56 PM, Michael Orlitzky wrote:
On 10/19/2013 08:29 PM, Anthony G. Basile wrote:
Can you check to see if the || die is required only on packages before
EAPI = 5? Or is it on all EAPI versions?
It's required anywhere you want the ebuild to die when pax-mark fails.
AFAIK, the EAPI >= 4 auto-die behavior only applies to the commands
listed in the PMS under "Ebuild-specific Commands".
Having said that, I'm not sure we want the ebuild to fail just because
pax-mark fails. People on vanilla profiles without xattr support will
be annoyed.
Can this be done in the profiles instead of the eclass?
Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the
variable is unset. On hardened, we probably want PAX_MARKINGS="PT" for
now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" eventually.
Non-hardened users don't care about the markings[1], so it doesn't
matter to them whether or not pax-mark fails. But for hardened users,
the package will be broken, so the ebuild should die.
What would happen it we changed the line,
PAX_MARKINGS=${PAX_MARKINGS:="PT"}
in the eclass, to,
PAX_MARKINGS=${PAX_MARKINGS:="none"}
and added,
PAX_MARKINGS="PT"
to the hardened make.defaults?
[1] There may be exceptions to this rule, but if we remove the PT
default for non-hardened users, they can still set PAX_MARKINGS in
make.conf if they want the markings.
The profile idea is a good one, but I'm always worried about people who
switch profiles. If we don't do the markings on *all* gentoo systems,
then someone switching from vanilla to hardened may have to re-emerge
lots of packages. Unlike PT_PAX which is guaranteed to be there for
systems compiled on gentoo, XT_PAX markings are more fragile and depend
on the filesystem being able to sustain them.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
