openrc-0.45 pulling in sys-apps/systemd-utils

Message

egberts · Post by **egberts** » Fri Oct 14, 2022 8:59 pm

I have been running Gentoo for some time and have managed to avoid things like systemd by having in /etc/portage/package.mask

Code:

Code: Select all

### prevent any systemd install
acct-group/systemd-journal
media-sound/pulseaudio
net-dns/avahi
sys-apps/systemd
sys-apps/systemd-utils
sys-apps/systemd-tmpfiles
>sys-apps/usbutils-008
sys-auth/polkit
sys-auth/consolekit
sys-fs/udev
sys-fs/eudev
virtual/udev

Also

Code: Select all

 USE="-tmpfiles lvm parted openrc -systemd -udev"

.

But trying to rebuild the latest stable openrc, I'm having terrible luck trying to recapture my old USE settings from a half decade ago.

Code: Select all

# emerge --newuse --deep --verbose sys-apps/openrc

These are the packages that would be merged, in order:

Calculating dependencies... done!

!!! All ebuilds that could satisfy "sys-apps/systemd-utils[tmpfiles]" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-apps/systemd-utils-251.4-r2::gentoo (masked by: package.mask)

(dependency required by "virtual/tmpfiles-0-r3::gentoo" [ebuild])
(dependency required by "sys-apps/openrc-0.45.2::gentoo" [installed])
(dependency required by "sys-apps/openrc" [argument])
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.

Been reading the forum for quite some time and haven't gotten a good resolution to this.

eccerr0r · Post by **eccerr0r** » Fri Oct 14, 2022 9:36 pm

the systemd package, depending on USE flags, now supplies tmpfiles and udev. The corresponding non-systemd versions of these programs were not being maintained fast enough to keep up with systemd.
tmpfiles of systemd had more bugs worked out and actually is more secure than the tmpfiles it replaced, so yes you'll now have to download systemd to get that small piece of code.

CaptainBlood · Post by **CaptainBlood** » Sat Oct 15, 2022 2:24 am

Code: Select all

[I] sys-apps/systemd-utils
     Available versions:  251.4-r2^t ~251.5^t ~251.6^t {+acl boot +kmod selinux split-usr sysusers test +tmpfiles +udev ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32"}
     Installed versions:  251.4-r2^t(23:26:58 18/09/2022)(split-usr tmpfiles -acl -boot -kmod -selinux -sysusers -test -udev ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")

for openrc here with minimal USE flags.

Thks 4 ur attention, interest & support.

pa4wdh · Post by **pa4wdh** » Sat Oct 15, 2022 8:37 am

Been reading the forum for quite some time and haven't gotten a good resolution to this.

Because there is no supported resolution, using systemd's tmpfiles is the official supported situation.

If you're like me and don't want systemd stuff i have a small overlay to keep opentmpfiles:
https://code.pa4wdh.nl.eu.org/gentoo/opentmpfiles/tree/

Use at your own risk of course

sabayonino · Post by **sabayonino** » Sat Oct 15, 2022 9:45 am

Please read this --> https://www.gentoo.org/support/news-ite ... utils.html

This doesn't mean you have systemd as init service installed.

Post by **NeddySeagoon** » Sat Oct 15, 2022 11:13 am

Code: Select all

$ eix sys-apps/systemd-utils
* sys-apps/systemd-utils
     Available versions:  [m]251.4-r2^t [m](~)251.5^t {+acl boot +kmod selinux split-usr sysusers test +tmpfiles +udev ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32"}
     Homepage:            https://systemd.io/
     Description:         Utilities split out from systemd for OpenRC users

Note the description.

egberts · Post by **egberts** » Sat Oct 15, 2022 1:50 pm

sabayonino wrote:Please read this --> https://www.gentoo.org/support/news-ite ... utils.html

This doesn't mean you have systemd as init service installed.

As one who found a bit of disconcerting practices of secured coding within systemd suite during my lengthy and repeated (but contractual private) code reviews,

pa4wdh wrote:
Been reading the forum for quite some time and haven't gotten a good resolution to this.
Because there is no supported resolution, using systemd's tmpfiles is the official supported situation.

If you're like me and don't want systemd stuff i have a small overlay to keep opentmpfiles:
https://code.pa4wdh.nl.eu.org/gentoo/opentmpfiles/tree/

Use at your own risk of course

I’m embarking on a local overlay using this https://wiki.gentoo.org/wiki/User:Shunl ... y_Tutorial article now and then will privately review the opentmpfile package. Not the resolution that I am looking for but the above appears to be the right direction in term of least unsecured route.

Starting details is in https://code.pa4wdh.nl.eu.org/gentoo/op ... les/about/

Post by Hu » Sat Oct 15, 2022 5:04 pm

I cannot say that the systemd code is perfectly secured, but opentmpfiles was abandoned because it was affected by problems that were difficult to fix in shell, and already handled properly in the systemd utilities. If there are still security problems in the systemd code, please report them. If they are numerous or difficult to fix, that could be an argument against continuing to use the systemd utilities on non-systemd systems. If they are solvable, then fixing them benefits everyone.

egberts · Post by **egberts** » Sat Oct 15, 2022 8:24 pm

Hu wrote: If there are still security problems in the systemd code, please report them. If they are numerous or difficult to fix, that could be an argument against continuing to use the systemd utilities on non-systemd systems. If they are solvable, then fixing them benefits everyone.

I've worked with open source before in a setting that allowed for conducting responsible security disclosure toward open source (libpcap, TCP-SACK, pppd, ATM driver).

But this time period's employment contract of mine specifically prohibits any contribution made or any information learned from within the company into being used or released outside of the company;. Not much I could do there then. Except for myself (which I won't do because it's a hot mess then).

Now I am on my own.

And with any ... NEW ... info, I can definitely work (again) within the framework of responsible security disclosure in today's open source world.

I won't be able to be in a position to argue for/against except for my expression that I prefer to do without systemd. et. al.

guru meditation · Post by **guru meditation** » Fri Nov 25, 2022 11:20 pm

Eventually eudev is being further maintained. right?

Either per contractual arrangement or political opinion, some people need or want to keep their systems completely free systemd components and Mr. LP''s “work“.

Post by **NeddySeagoon** » Sat Nov 26, 2022 4:36 pm

guru meditation,

A static /dev with no autoblackmagic still works for me. :)

GDH-gentoo · Post by **GDH-gentoo** » Sat Nov 26, 2022 6:35 pm

guru meditation wrote:Eventually eudev is being further maintained. right?

Upstream repository still exists. It gets sporadic commits, seemingly to fix some things. Gentoo's ebuilds still exist. Does that count as "yes"?