commit: 7b31a05ecb36f09159c3dca966deb845eded0b03 Author: Zac Medico <zmedico <AT> gentoo <DOT> org> AuthorDate: Sun Oct 26 10:04:51 2025 +0000 Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> CommitDate: Sun Oct 26 10:08:49 2025 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=7b31a05e
_EbuildFetcherProcess: avoid forkserver permission issue due to userfetch Since we typically drop privileges for userfetch here, a forkserver shared with the parent would open privilege escalation issues that are better to avoid, therefore force the multiprocessing start method to spawn. Bug: https://bugs.gentoo.org/965138 Signed-off-by: Zac Medico <zmedico <AT> gentoo.org> lib/_emerge/EbuildFetcher.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/_emerge/EbuildFetcher.py b/lib/_emerge/EbuildFetcher.py index 554cd95973..a41c44f2cd 100644 --- a/lib/_emerge/EbuildFetcher.py +++ b/lib/_emerge/EbuildFetcher.py @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 import copy @@ -272,6 +272,13 @@ class _EbuildFetcherProcess(ForkProcess): if pre_exec is not None: pre_exec() + if sys.version_info >= (3, 14): + # Since we typically drop privileges for userfetch here, + # a forkserver shared with the parent would open privilege + # escalation issues that are better to avoid, therefore + # force the multiprocessing start method to spawn. + multiprocessing.set_start_method("spawn", force=True) + # Force consistent color output, in case we are capturing fetch # output through a normal pipe due to unavailability of ptys. portage.output.havecolor = settings.get("NOCOLOR") not in ("yes", "true")
