Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2013-09-27-initramfs-required
- Title Separate /usr on Linux requires initramfs
- Author William Hubbs <williamh@gentoo.org>
- Posted 2013-09-27
- Revision 1
- Linux systems which have / and /usr on separate file systems but do not
- use an initramfs will not be supported starting on 01-Nov-2013.
- If you have / and /usr on separate file systems and you are not
- currently using an initramfs, you must set one up before this date.
- Otherwise, at some point on or after this date, upgrading packages
- will make your system unbootable.
- For more information on setting up an initramfs, see this URL:
- https://wiki.gentoo.org/wiki/Initramfs/HOWTO
- Due to many upstream changes, properly supporting Linux systems that
- have /usr missing at boot time has become increasingly difficult.
- Despite all our efforts, it already breaks in some exotic
- configurations, and this trend is likely to grow worse.
- For more information on the upstream changes and why using an initramfs
- is the cleanest route forward, see the following URLs:
- http://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
- https://blog.flameeyes.eu/2013/01/the-boot-process
- 2014-06-15-gcc48_ssp
- Title GCC 4.8.3 defaults to -fstack-protector
- Author Ryan Hill <rhill@gentoo.org>
- Posted 2014-06-15
- Revision 2
- Beginning with GCC 4.8.3, Stack Smashing Protection (SSP) will be
- enabled by default. The 4.8 series will enable -fstack-protector
- while 4.9 and later enable -fstack-protector-strong.
- SSP is a security feature that attempts to mitigate stack-based buffer
- overflows by placing a canary value on the stack after the function
- return pointer and checking for that value before the function returns.
- If a buffer overflow occurs and the canary value is overwritten, the
- program aborts.
- There is a small performance cost to these features. They can be
- disabled with -fno-stack-protector.
- For more information these options, refer to the GCC Manual, or the
- following articles.
- http://en.wikipedia.org/wiki/Buffer_overflow_protection
- http://en.wikipedia.org/wiki/Stack_buffer_overflow
- https://securityblog.redhat.com/tag/stack-protector
- http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong
- 2014-10-26-gcc_4_7_introduced_new_c++11_abi
- Title GCC 4.7 Introduced the New C++11 ABI
- Author Anthony G. Basile <blueness@gentoo.org>
- Posted 2014-10-26
- Revision 1
- GCC 4.7 introduced the new experimental 2011 ISO C++ standard [1], along with
- its GNU variant. This new standard is not the default in gcc-4.7, 4.8 or 4.9,
- the default is still gnu++98, but it can be enabled by passing -std=c++11 or
- -std=gnu++11 to CXXFLAGS.
- Users that wish to try C++11 should exercise caution because it is not
- ABI-compatible with C++98. Nor is C++11 code compiled with gcc-4.7 guaranteed
- to be ABI-compatible with C++11 compiled with 4.8, or vice versa [2]. Thus
- linking C++98 and C++11, or C++11 compiled with different versions of gcc, is
- likely to cause breakage. For packages which are self-contained or do not link
- against any libraries written in C++, there is no problem. However, switching
- to C++11 and then building packages which link against any of the numerous
- libraries in an incompatible ABI can lead to a broken system.
- This is a precautionary news item and the typical user need not do anything.
- However, as C++11 gains in popularity and the number of packages using it
- increases, it is important that users understand these issues [3].
- For an ABI compliance checker, and more information about C++ ABIs, see [4].
- Ref.
- [1] http://www.stroustrup.com/C++11FAQ.html
- [2] Upstream GCC does not support ABI-compatibility between gcc-4.x and 4.y for
- any x != y . See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61758. Even
- having different versions of gcc installed simultaneously may lead to problems,
- especially if the older version of gcc is active. An example is
- https://bugs.gentoo.org/show_bug.cgi?id=513386.
- [3] Note that some packages like www-client/chromium and net-libs/webkit-gtk
- are already using C++11 features.
- [4] http://ispras.linuxbase.org/index.php/ABI_compliance_checker
- 2015-02-04-portage-sync-changes
- Title New portage plug-in sync system
- Author Brian Dolbec <dolsen@gentoo.org>
- Posted 2015-02-02
- Revision 1
- There is a new plug-in sync system in >=sys-apps/portage-2.2.16.
- This system will allow third party modules to be easily installed. Look
- for a new layman plug-in sync module in layman's next release. Next is
- a brief look at the changes. See the url [1] listed below for detailed
- descriptions and usage.
- Changes: /etc/portage/repos.conf/*
- New setting for all repository types (needed):
- auto-sync = yes/no, true/false # default if absent: yes/true
- New for git sync-type: (applies to clone only)
- sync-depth = n where n = {0,1,2,3,...} (optional, default = 1)
- 0 -- full history
- 1 -- shallow clone, only current state (default)
- 2,3,... number of history changes to download
- New sync-type modules:
- sync-type = svn # sync a subversion repository
- sync-type = websync # Perform an emerge-webrsync operation
- sync-type = laymanator # (if installed) runs a layman -s action
- New native portage postsync hooks
- /etc/portage/postsync.d/*
- Runs hooks once, only after all repos have been synced.
- /etc/portage/repo.postsync.d/*
- Runs each script with three arguments:
- repo name, sync-uri, location
- Each script is run at the completion of every repo synced.
- Migration:
- Edit /etc/portage/repos.conf/*.conf files, add the auto-sync option
- to each repository definition. Edit sync-type option to one of the
- supported types {rsync, git, cvs, svn, websync, laymanator}.
- [some-repo]
- ...
- sync-type = rsync
- auto-sync = yes
- For an existing /etc/portage/repos.conf/layman.conf file:
- 1) change/add the sync-type
- sync-type = laymanator
- 2) Ensure you have the correct layman version installed with
- it's laymanator module also installed.
- Alternate method:
- Please see the wiki page url [1] for detailed instructions.
- Primary control of all sync operations has been moved from emerge to
- emaint. "emerge --sync" now just calls the emaint sync module with the
- --auto option. The --auto option performs a sync on only those
- repositories with the auto-sync setting not set to 'no' or 'false'. If
- it is absent, then it will default to yes and "emerge --sync" will sync
- the repository.
- NOTE: As a result of the default auto-sync = True/Yes setting, commands
- like "eix-sync", "esync -l", "emerge --sync && layman -S" will cause
- many repositories to be synced multiple times in a row. Please edit
- your configs or scripts to adjust for the new operation.
- WARNING:
- Due to the above default. For any repos that you EXPLICITLY do not
- want to be synced. You MUST set "auto-sync = no"
- The 'emaint sync' module operates similar to layman. It can sync
- single or multiple repos. See "emaint --help" or for more details and
- examples see the wiki page listed below [1].
- Additional help and project API documentation can be found at:
- [1] https://wiki.gentoo.org/wiki/Project:Portage/Sync
- 2015-07-25-python-targets
- Title Python 3.4 enabled by default
- Author Mike Gilbert <floppym@gentoo.org>
- Posted 2015-07-25
- Revision 1
- Python 3.4 is now enabled by default, replacing Python 3.3 as the
- default Python 3 interpreter.
- PYTHON_TARGETS will be adjusted to contain python2_7 and python3_4 by
- default via your profile.
- PYTHON_SINGLE_TARGET will remain set to python2_7 by default.
- If you have PYTHON_TARGETS set in make.conf, that setting will still be
- respected. You may want to adjust this setting manually.
- Once the changes have taken place, a world update should take care of
- reinstalling any python libraries you have installed. You should also
- switch your default python3 interpreter using eselect python.
- For example:
- eselect python set --python3 python3.4
- emerge -uDv --changed-use @world
- 2015-08-13-openssh-weak-keys
- Title OpenSSH 7.0 disables ssh-dss keys by default
- Author Mike Frysinger <vapier@gentoo.org>
- Posted 2015-08-13
- Revision 1
- Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
- been disabled by default at runtime due to their inherit weakness. If
- you rely on these key types, you will have to take corrective action or
- risk being locked out.
- Your best option is to generate new keys using strong algos such as rsa
- or ecdsa or ed25519. RSA keys will give you the greatest portability
- with other clients/servers while ed25519 will get you the best security
- with OpenSSH (but requires recent versions of client & server).
- If you are stuck with DSA keys, you can re-enable support locally by
- updating your sshd_config and ~/.ssh/config files with lines like so:
- PubkeyAcceptedKeyTypes=+ssh-dss
- Be aware though that eventually OpenSSH will drop support for DSA keys
- entirely, so this is only a stop gap solution.
- More details can be found on OpenSSH's website:
- http://www.openssh.com/legacy.html
- 2015-10-22-gcc-5-new-c++11-abi
- Title GCC 5 Defaults to the New C++11 ABI
- Author Mike Frysinger <vapier@gentoo.org>
- Posted 2015-10-22
- Revision 2
- GCC 5 uses the new C++ ABI by default. When building new code, you might run
- into link time errors that include lines similar to:
- ...: undefined reference to '_ZNSt6chrono12steady_clock3nowEv@GLIBCXX_3.4.17'
- Or you might see linkage failures with "std::__cxx11::string" in the output.
- These are signs that you need to rebuild packages using the new C++ ABI.
- You can quickly do so by using revdep-rebuild (from gentoolkit).
- For gentoolkit-0.3.1 or higher:
- # revdep-rebuild --library 'libstdc++.so.6' -- --exclude gcc
- For previous versions of gentoolkit:
- # revdep-rebuild --library 'libstdc\+\+\.so\.6' -- --exclude gcc
- For more details, feel free to peruse:
- https://developerblog.redhat.com/2015/02/05/gcc5-and-the-c11-abi/
- https://blogs.gentoo.org/blueness/2015/03/10/the-c11-abi-incompatibility-problem-in-gentoo/
- 2016-06-23-l10n-use_expand
- Title L10N USE_EXPAND variable replacing LINGUAS
- Author Mart Raudsepp <leio@gentoo.org>
- Author Ulrich Müller <ulm@gentoo.org>
- Posted 2016-06-19
- Revision 1
- The L10N variable is replacing LINGUAS as a USE_EXPAND, to avoid a
- conceptual clash with the standard gettext LINGUAS behaviour.
- L10N controls which extra localization support will be installed.
- This is commonly used for downloads of additional language packs.
- If you have set LINGUAS in your make.conf, you most likely want to add
- its entries also to L10N. Note that while the common two letter language
- codes (like "de" or "fr") are identical, more complex entries have a
- different syntax because L10N now uses IETF language tags. (For example,
- "pt_BR" becomes "pt-BR" and "sr@latin" becomes "sr-Latn".) You can look
- up the available codes in profiles/desc/l10n.desc in the gentoo tree.
- A detailed description of language tags (aka BCP 47) can be found at:
- https://www.w3.org/International/articles/language-tags/
- After a transition time for packages to be converted, the LINGUAS
- environment variable will maintain the standard gettext behaviour and
- will work as expected with all package managers. It controls which
- language translations are built and installed. An unset value means all
- available, an empty value means none, and a value can be an unordered
- list of gettext language codes, with or without country codes. Usually
- two letter language codes suffice, but can be narrowed down by country
- codes with a "ll_CC" formatting, where "ll" is the language code and
- "CC" is the country code, e.g., "en_GB". Some rare languages also have
- three letter language codes. Note that LINGUAS does not only affect
- installed gettext catalog files (*.mo), but also lines of translations
- in an always shipped file (e.g., *.desktop).
- If you want English with a set LINGUAS, it is suggested to list it with
- the desired country code, in case the default is not the usual "en_US".
- It is also common to list "en" then, in case a package is natively
- written in a different language, but does provide an English translation
- for whichever country. A list of LINGUAS language codes is available at:
- http://www.gnu.org/software/gettext/manual/gettext.html#Language-Codes
- If you have per-package customizations of the LINGUAS USE_EXPAND, you
- should also rename those. This typically means changing linguas_* to
- l10n_*, and possibly updating the syntax as described above.
- https://wiki.gentoo.org/wiki/Localization/Guide has also been updated to
- reflect this change.
- 2017-12-26-experimental-amd64-17-1-profiles
- Title Experimental amd64 17.1 profiles up for testing
- Author Michał Górny <mgorny@gentoo.org>
- Posted 2017-12-26
- Revision 3
- A new set of 17.1 amd64 profiles has been added to the Gentoo
- repository. Those profiles switch to a more standard 'no SYMLINK_LIB'
- multilib layout, and require explicit migration as described below. They
- are considered experimental at the moment, and have a fair risk
- of breaking your system. We would therefore like to ask our users to
- test them on their non-production ~amd64 systems.
- In those profiles, the lib->lib64 compatibility symlink is removed.
- The 'lib' directory becomes a separate directory, that is used
- for cross-arch and native non-library packages (gcc, clang) and 32-bit
- libraries on the multilib profile (for better compatibility with
- prebuilt x86 packages).
- Migration from both 13.0 and 17.0 profiles is supported. In case
- of the former, please read the news item for 17.0 upgrade first
- and enable gcc 6.4.0 or newer first as explained there.
- The migration is performed using app-portage/unsymlink-lib tool.
- The following steps can be used to upgrade your system:
- 1. Sync and upgrade your system to the newest package versions
- to reduce the risk of issues.
- 2. Install the tool, e.g. via 'emerge -1v app-portage/unsymlink-lib'
- 3. Run 'unsymlink-lib --analyze' and check the output for obvious
- mistakes. If you need to perform any changes to the system, remember
- to run 'unsymlink-lib --analyze' again afterwards.
- [past this point do not call emerge or modify /usr manually]
- 4. This is a very good time to make a backup.
- 5. Run 'unsymlink-lib --migrate'. You can add '--pretend' first to see
- what is going to happen.
- 6. Reboot your system and see if it still boots. Check if important
- programs work. In particular, check if e.g. 'emerge --info' works
- (but do not install anything). If you hit any serious problems,
- you can use 'unsymlink-lib --rollback' to revert the changes
- and return to step 3.
- 7. Run 'unsymlink-lib --finish'. You can add '--pretend' first to see
- what is going to happen but note that you're going to see a very long
- list of files to remove.
- 8. Switch the profile, e.g.:
- eselect profile set --force default/linux/amd64/17.1/desktop
- [at this point you can start using emerge again]
- 9. Rebuild sys-devel/gcc. If you are switching from 13.0 profiles,
- rebuild sys-devel/binutils and sys-libs/glibc afterwards.
- 10. If you are using a multilib profile, rebuild all 32-bit packages.
- This can be done using:
- emerge -1v /lib32 /usr/lib32
- Alternatively, if you are switching from one of the 13.0 profiles
- you can rebuild all packages as detailed in the 17.0 news item.
- 11. Once the last 32-bit package is rebuilt, your package manager
- should remove the orphaned /lib32 and /usr/lib32 symlinks. If that
- does not happen, remove them manually.
- For known issues, please see bug #506276 [1]. If you have any problems
- with the new profiles or the migration procedure, please report a bug
- and make it block the tracker.
- For more information on the layout, please see the wiki article
- on AMD64 multilib layouts [2].
- [1]:https://bugs.gentoo.org/506276
- [2]:https://wiki.gentoo.org/wiki/Project:AMD64/Multilib_layout
- 2018-01-30-portage-rsync-verification
- Title Portage rsync tree verification
- Author Michał Górny <mgorny@gentoo.org>
- Posted 2018-01-30
- Revision 1
- Starting with sys-apps/portage-2.3.21, Portage will verify the Gentoo
- repository after rsync by default.
- The new verification is intended for users who are syncing via rsync.
- Users syncing via git or other methods are not affected, and complete
- verification for them will be provided in the future.
- The verification is implemented via app-portage/gemato. Currently,
- the whole repository is verified after syncing. On systems with slow
- hard drives, this could take around 2 minutes. If you wish to disable
- it, you can disable the 'rsync-verify' USE flag on sys-apps/portage
- or set 'sync-rsync-verify-metamanifest = no' in your repos.conf.
- Please note that the verification currently does not prevent Portage
- from using the repository after syncing. If 'emerge --sync' fails,
- do not install any packages and retry syncing. In case of prolonged
- or frequent verification failures, please make sure to report a bug
- including the failing mirror addresses (found in emerge.log).
- The verification uses information from the binary keyring provided
- by the app-crypt/gentoo-keys package. The keys are refreshed
- from the keyserver before every use in order to check for revocation.
- The post-sync verification ensures that the authenticity of the key
- package itself is verified. However, manual verification is required
- before the first use.
- On Gentoo installations created using installation media that included
- portage-2.3.22, the keys will already be covered by the installation
- media signatures. On existing installations, you need to manually
- compare the primary key fingerprint (reported by gemato on every sync)
- against the official Gentoo keys [1]. An example gemato output is:
- INFO:root:Valid OpenPGP signature found:
- INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678
- INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09
- Please note that the above snippet does not include the real key id
- on purpose. The primary key actually printed by gemato must match
- the 'Gentoo Portage Snapshot Signing Key' on the website. Please make
- sure to also check the certificate used for the secure connection
- to the site!
- [1]:https://www.gentoo.org/downloads/signatures/
- 2018-03-13-portage-rsync-verification-unstable
- Title Portage rsync tree verification unstable
- Author Zac Medico <zmedico@gentoo.org>
- Posted 2018-03-13
- Revision 1
- Portage rsync tree verification is being temporarily turned off by
- default, starting with sys-apps/portage-2.3.24. This permits
- stabilization of sys-apps/portage-2.3.24 while still working on bugs
- relating to tree verification [1]: deadlocks [2] & key fetching [3].
- If users wish to enable the 'rsync-verify' USE flag for sys-apps/portage,
- they need to follow these steps:
- 1) In order to unmask the 'rsync-verify' USE flag, create a file named
- /etc/portage/profile/package.use.mask containing a line like the
- following:
- sys-apps/portage -rsync-verify
- 2) Once the 'rsync-verify' USE flag has been unmasked as described
- in step 1, it can be enabled with a line like the following in
- /etc/portage/package.use:
- sys-apps/portage rsync-verify
- 3) After the configuration changes in steps 1 and 2 have been made, run
- the following command:
- emerge --oneshot --newuse '>=sys-apps/portage-2.3.24'
- After all above steps are successfully completed, a line like the
- following should appear in the emerge --info output for the gentoo
- repository:
- sync-rsync-verify-metamanifest: yes
- If you wish to disable it for some reason, you can set
- 'sync-rsync-verify-metamanifest = no' in your repos.conf.
- [1] https://bugs.gentoo.org/650144 sys-apps/portage: [TRACKER] issues
- related to 'rsync-verify' USE flag
- [2] https://bugs.gentoo.org/647964 app-portage/gemato-11.2: deadlock?
- [3] https://bugs.gentoo.org/649276 sys-apps/portage: gpg key refresh
- needs exponential backoff with jitter
- 2018-05-22-python3-6
- Title Python 3.6 to become the default target
- Author Michał Górny <mgorny@gentoo.org>
- Posted 2018-05-22
- Revision 1
- On 2018-06-22, Python 3.6 will replace Python 3.5 in the default Python
- targets for Gentoo systems. The new default targets will be:
- PYTHON_TARGETS="python2_7 python3_6"
- PYTHON_SINGLE_TARGET="python3_6"
- If you have not overriden the value of those variables on your system,
- then your package manager will want to use the new targets immediately.
- In order to prevent dependency conflicts, please clean stray packages
- and rebuild/upgrade all packages with USE flag changes after the change,
- e.g.:
- emerge --depclean
- emerge -1vUD @world
- emerge --depclean
- Please note that upgrading dependencies in place may cause some
- of the package dependencies to be temporarily missing. While this
- should not affect scripts that are already fully loaded, it may cause
- ImportErrors while starting Python scripts or loading additional
- modules (only scripts running Python 3.5 are affected).
- In order to improve stability of the upgrade, you may choose to
- temporarily enable both targets, i.e. set in /etc/portage/make.conf
- or its equivalent:
- PYTHON_TARGETS="python2_7 python3_5 python3_6"
- PYTHON_SINGLE_TARGET="python3_5"
- This will cause the dependencies to include both Python 3.5 and 3.6
- support on the next system upgrade. Once all packages are updated,
- you can restart your scripts, remove the custom setting and run another
- upgrade to remove support for Python 3.5.
- If you would like to postpone the switch to Python 3.6, you can copy
- the current value of PYTHON_TARGETS and/or PYTHON_SINGLE_TARGET
- to /etc/portage/make.conf or its equivalent:
- PYTHON_TARGETS="python2_7 python3_5"
- PYTHON_SINGLE_TARGET="python3_5"
- If you would like to migrate your systems earlier, you can do the same
- with the new value.
- If you are still using Python 3.4, please consider switching to a newer
- version as it is reaching its end-of-life. The end-of-life dates
- for the currently used versions are:
- Python 3.4 2019-03-16
- Python 2.7 2020-01-01
- Python 3.5 2020-09-13 [1]
- [1]:https://devguide.python.org/#status-of-python-branches
- (chroot) sysresccd / #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement