On 11/12/24 8:56 AM, Peter Böhm wrote: > Hello everyone, > > as far as I remember correctly, both were activated globally and were only > removed as global settings due to the security vulnerability of zstd. This is > now history and I would like to ask if we should re-enable both globally?
It actually happened in https://bugs.gentoo.org/928932 The rationale for dropping it from global USE was: > This default doesn't actually solve the stated problem, and setting > it in a high-level profile causes new ones for users who want it > disabled. The obvious solution to revert to the status quo is to set > USE="-lzma", but that has the dangerous side-effect of overriding > IUSE defaults in packages where they are important. For example, sys- > apps/kmod uses +lzma to ensure that your kernel will boot if you > choose lzma compression for modules; helpful, because there's no > other way for the package manager to track that dependency. And the mailing list discussion involved was: https://public-inbox.gentoo.org/gentoo-dev/98d180b6db191830e9700d0f5b874274a3fd4755.ca...@gentoo.org/ Admittedly, some comments were made at the time that it was "interesting timing because of the xz backdoor" but the core point made by Michael is useful to note here: > What I am saying is that I want the freedom to not have things > pointlessly enabled on my systems, because similar problems (and worse) > happen all day every day. The less exposure I have, the better. The > liblzma backdoor was timely because it will prevent most people from > telling me I'm being paranoid, but it could have been USE=anything on > any other day. Moving the defaults out of the high-level profiles will > give control back to the user, hence my complaint about it. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
