Rich0's Gentoo Blog

The Dark Side of Quality

with 5 comments

Voltaire once said that the best is the enemy of the good. I think that there are few places where one can see as many abuses of quality as you’ll find in many FOSS projects, including Gentoo.

Often FOSS errs on the side of insufficient quality. Developers who are scratching itches don’t always have incentive to polish their work, and as a result many FOSS projects result in a sub-optimal user experience. In these cases “good enough” is standing in the way of “the best.”

However, I’d like to briefly comment on an opposite situation, where “the best” stands in the way of “good enough.” As an illustrative example, consider the excellent practice of removing bundled libraries from upstream projects. I won’t go on about why this is a good thing – others have already done so more extensively. And make no mistake – I agree that this is a good thing, the following notwithstanding.

The problem comes when things like bundled libraries become a reason to not package software at all. Two examples I’m aware of where this has happened recently are media-sound/logitechmediaserver-bin and media-gfx/darktable. In the former there is a push to remove the package due to the inclusion of bundled libraries. In the latter the current version is lagging somewhat because while upstream actually created an ebuild, it bundles libraries. Another example is www-client/chromium, which still bundles libraries despite a very impressive campaign by the chromium team to remove them.

The usual argument for banning packages containing bundled libraries is that they can contain security problems. However, I think this is misleading at best. If upstream bundles zlib in their package we cry about potential security bugs (and rightly so), however, if upstream simply writes their own compression functions and includes them in the code, we don’t bat an eyelash, even though this is more likely to cause security problems. The only reason we can complain about zlib is BECAUSE it is extensively audited, making it easy to spot the security problems. We’re not reacting to the severity of problems, but only to the detectablity of them.

Security is a very important aspect of quality, but any reasonable treatment of security has to consider the threat model. While software that bundles a library is rightfully considered “lower” in quality than one that does not, what matters more is whether this is a quality difference that is meaningful to end users, and what their alternatives are. If the alternative for the user is to just install the same software with the same issues, but from an even lower quality source with no commitment to security updates, then removing a package from Gentoo actually increases the risks to our users. This is not unlike the situation that exists with SSL, where an unencrypted connection is presented to the user as being more secure than an SSL connection with a self-signed certificate, when this is not true at all. If somebody uses darktable to process photos that they take, then they’re probably not concerned with a potential buffer overflow in a bundled version of dcraw. If the another user operated a service that accepted files from strangers on the internet, then they might be more concerned.

What is the solution?: A policy that gives users reasonably secure software from a reputable source, with clear disclosure. We should encourage devs to unbundle libraries, consider bugs pointing out bundled libraries valid, accept patches to unbundle libraries when they are available, and add an elog notice to packages containing bundled libraries in the interest of disclosure. Packages with known security vulnerabilities would be subject to the existing security policy. However, developers would still be free to place packages in the tree that contain bundled libraries, unmasked, and they could be stabilized. Good enough for upstream should be good enough for Gentoo (again, baring specific known vulnerabilities), but that won’t stop us from improving further.

Written by rich0

December 6, 2012 at 10:48 am

Posted in gentoo

Gentoo EC2 Tutorial / Bootstrapping

with 4 comments

I want to accomplish a few things with this post.

First, I’d like to give more attention to the work recently done by edowd on Bootstrapping Gentoo in EC2.

Second, I’d like to introduce a few enhancements I’ve made on these (some being merged upstream already).

Third, I’d like to turn this into a bit of a tutorial into getting started with EC2 as well since these scripts make it brain-dead simple.

Read the rest of this entry »

Written by rich0

September 24, 2012 at 10:20 am

Posted in foss, gentoo, linux

Gentoo Bug Bounties

with 7 comments

Some may have noticed that the Gentoo Foundation has funded a bug bounty. This is something fairly new for the Foundation, and I wanted to offer some comments on the practice. Please note that while I’d love to see some of these make their way into policy some day, these are nothing more than my own opinion, and I reserve the right to change my opinion as we gain experience.

The recent bug bounty was for bug #418431, which was to address a problem with git-svn which was holding up stabilization of the latest version of git, which is a blocker for the migration of the Portage tree to git.

What follows are some principles for the use of bug bounties and how I think we fared in this particular case. I’d like to see the use of bounties expand, as right now I believe we under-utilize our donations. However, it is important that bounties be used with care as they have the potential to cause harm or be wasteful.

One more upfront note – I supported the git-svn bounty as it was ultimately worded, as did the other Trustees. Looking back I think we could have done things a little differently, but hindsight is always 20/20, and no doubt we’ll continue to learn as we experiment with this further.

Read the rest of this entry »

Written by rich0

August 19, 2012 at 10:55 pm

MythTV ION Frustrations

with 2 comments

I figured I’d post another update on where things stand with MythTV on Gentoo. It looks like cardoe is finding some time to work on 0.25, which is good to see.

Right now my setup has the backend on Gentoo, and my set-top frontend on MiniMyth. This is a bit of a pain as it is hard to keep these in sync, so I’ve been trying to get this box onto Gentoo to greatly ease upgrades and allow me to update the tree.

However, I’m still running into issues making the switch. I’m running into issues with HD video artifacts on my frontend, which is a Zotac ION-based ITX board. These artifacts can be substantial – lasting tens of frames, causing tearing, leaving large pink areas on-screen, and so on. When I watch the same videos on MiniMyth sometimes I see no artifacts at all, and at other times I might see noise that lasts a frame.

So, something on the Gentoo build is causing minor defects in the stream to result in much more substantial ones by the time they are rendered. The Minimyth build is clearly more error-tolerant.

Unfortunately, I’m not very familiar with the entire rendering chain so I’m not sure which libraries could be at fault. If anybody is familiar with VDPAU rendering and has some suggestions I’m all ears.

Here is a link to the software installed on Gentoo.

Here is a link to the software installed on Minimyth.

Written by rich0

June 23, 2012 at 12:22 pm

Posted in Uncategorized

A Quick Dracut Module

with 7 comments

Since the general trend on many linux distros is towards requiring /usr to be mounted at boot time, I figured I’d see what it would take to get it working using dracut.

I’ve been messing with dracut for a while, and for some reason it stubbornly refuses to detect my raid devices. The kernel autodetection works fine, but this is disabled when booting from an initramfs. Dracut would timeout and drop me to a dash shell, and if I just typed mdadm -As followed by exit it would boot just fine.

Dracut is using udev to set up raid devices, and obviously that is not working.

Beyond this, I’d like to get my /usr mounted pre-boot, and there is a module called usrmount that purports to do just this. However, it isn’t working in my case because /usr is a bind mount to a subdir on an lvm volume, and it just isn’t figuring that out (it doesn’t even run lvm in the first place despite having the module installed, let alone figuring out what to mount in what order – I suspect the lvm module only works if root is on lvm).

My solution to both problems is to build my own simple dracut module. If you want to try it out:

  1. cd /usr/lib/dracut/modules.d/
  2. mkdir 91local
  3. cat > 91local/module-setup.sh
    #!/bin/bash
    # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
    # ex: ts=8 sw=4 sts=4 et filetype=sh

    check() {
    return 0
    }

    depends() {
    return 0
    }

    install() {
    inst_hook pre-trigger 91 "$moddir/mount-local.sh"
    }

  4. cat > 91local/mount-local.sh
    #!/bin/sh
    # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
    # ex: ts=8 sw=4 sts=4 et filetype=sh

    mount_local()
    {
    mdadm -As
    lvm pvscan
    lvm vgscan
    lvm lvscan
    lvm vgchange -ay
    }

    mount_local

Then run dracut to build your initramfs, and it should let mdadm and lvm auto-detect everything before it gets to mounting stuff. You can then use the fstab-sys to mount whatever you need to mount user. However, in your fstab.sys if you’re configuring a bindmount be sure to prepend /sysroot/ before the source directory.
Example fstab.sys:
/dev/vg1/data /data ext4 noatime,user_xattr,barrier=1 0 0
/sysroot/data/usr /usr none bind 0 0
/sysroot/data/var /var none bind 0 0

Hopefully this helps somebody out – the dracut documentation is pretty sparse. In fact, if somebody connected to dracut stumbles upon this I’d be open to a better way of hooking my script – pre-trigger just doesn’t seem right – I’d rather let udev try to do everything first. However, I couldn’t find any way to hook after udev runs but before it bombs out not finding my root device. Suggestions welcome.

Written by rich0

January 21, 2012 at 4:28 pm

Posted in gentoo, linux

Another MythTV Update

with 11 comments

Agreeing with some advice on gentoo-dev, I’m going to post this as a blog entry instead of a Gentoo news item. The quick version of this update is expect to see 0.24.1 in portage in a few days. The long version follows…
Read the rest of this entry »

Written by rich0

December 14, 2011 at 10:06 am

Posted in foss, gentoo, linux, mythtv

KDump on Gentoo

with 6 comments

I’ve been trying to learn a little more about kernel debugging (part of my quest to learn a little more about btrfs), and I figured I’d post a quick howto on getting kernel crash dumps captured on Gentoo.
Read the rest of this entry »

Written by rich0

November 11, 2011 at 9:45 pm

Posted in gentoo, linux

Follow

Get every new post delivered to your Inbox.