Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kernel suddenly requires freedist license despite deblob
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 37

PostPosted: Thu Jan 15, 2015 6:24 pm    Post subject: kernel suddenly requires freedist license despite deblob Reply with quote

I am running a machine with hardened-sources and the following settings in make.conf:

Code:
USE="deblob"
ACCEPT_LICENSE="-* @FREE"


Everything went fine and kernels were deblobbed as expected,
until I tried to switch from hardened-sources to gentoo-sources:

Code:
# emerge -pv gentoo-sources

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-kernel/gentoo-sources-3.17.7:3.17.7  USE="deblob -build -experimental -symlink" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

The following license changes are necessary to proceed:
 (see "package.license" in the portage(5) man page for more details)
# required by gentoo-sources (argument)
>=sys-kernel/gentoo-sources-3.17.7:3.17.7 freedist


I installed it previously by making the suggested change to package.license,
but the deblob-script did not run, despite the deblob USE flag apparently beeing recognized.
I reverted the change to package.licence and, again, ended up with the message above.
I am able to reinstall hardened-sources without problem:

Code:
# emerge -av hardened-sources

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-kernel/hardened-sources-3.17.7-r1:3.17.7-r1  USE="deblob -build -symlink" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

!!! The following installed packages are masked:
- sys-kernel/gentoo-sources-3.17.7::gentoo (masked by: freedist license(s))
A copy of the 'freedist' license is located at '/usr/portage/licenses/freedist'.

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.


Would you like to merge these packages? [Yes/No]


On other machines with similar USE and license settings, switching from
gentoo-sources to hardened-sources is no problem.

As I understand it, the deblob USE flag should get rid of the freedist license requirement,
but that''s where I'm stuck.
What am I missing?
Back to top
View user's profile Send private message
galoisghost
n00b
n00b


Joined: 27 Oct 2014
Posts: 3

PostPosted: Mon Jan 19, 2015 7:32 am    Post subject: Reply with quote

deblob support was removed from gentoo-sources ebuilds 4 days ago. Commits say that it was broken but doesn't indicate how or reference any particular bug report.
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 37

PostPosted: Mon Jan 19, 2015 8:16 pm    Post subject: Reply with quote

galoisghost, thank you for this very helpful comment!
I found what you are referring to here:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog?view=markup
After an 'emerge-webrsync' I can confirm this on my other machines.

Any hints how I can possibly resolve this, besides simply using hardened-sources?
(I would rather not switch and the next question would be how long the deblob support for this package will stay anyway)

Using freedist is not an option since its a policy to not trust any blobs. The deblob feature was one of the top
reasons I switched to Gentoo.
I would very much like to do the next update on my three machines, which are using gentoo-sources.
Is it appropriate to file a bug report? (never did anything like that before)
Or should I contact the person who did the commit or write to some mailing list?

Thanks in advance for any additional hints!
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3436
Location: The Peanut Gallery

PostPosted: Mon Jan 19, 2015 9:42 pm    Post subject: Reply with quote

I would probably email mpagano, in your position. Though a bug report would be useful in terms of discussion and collaboration to get support back.
Back to top
View user's profile Send private message
galoisghost
n00b
n00b


Joined: 27 Oct 2014
Posts: 3

PostPosted: Tue Jan 20, 2015 12:52 pm    Post subject: Reply with quote

Well I found out why https://bugs.gentoo.org/show_bug.cgi?id=536482 I think that arfever's repsonse plus this bug https://bugs.gentoo.org/show_bug.cgi?id=533532 are the clues to solving the problem to get deblob back.

I find it odd that mpango seems to have given up on deblob. Maybe we do need sys-kernel/libre-sources
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2949

PostPosted: Tue Jan 20, 2015 1:09 pm    Post subject: Reply with quote

galoisghost wrote:
bug 536482

Mike Gilbert wrote:
There's nothing stopping you from downloading a kernel tarball and running deblob yourself. The kernel sources ebuilds in the tree are just a convenience.

... except that this makes the entire raison d'etre of ACCEPT_LICENSE meaningless.

best ... khay
Back to top
View user's profile Send private message
galoisghost
n00b
n00b


Joined: 27 Oct 2014
Posts: 3

PostPosted: Tue Jan 20, 2015 1:27 pm    Post subject: Reply with quote

khayyam wrote:

... except that this makes the entire raison d'etre of ACCEPT_LICENSE meaningless.


Good point. Time for a bug report.

edit: https://bugs.gentoo.org/show_bug.cgi?id=537132
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2949

PostPosted: Tue Jan 20, 2015 10:02 pm    Post subject: Reply with quote

galoisghost wrote:
khayyam wrote:

... except that this makes the entire raison d'etre of ACCEPT_LICENSE meaningless.

Good point. Time for a bug report. edit: bug 537132

galoisghost ... I think that bug will be closed as INVALID ... you need to provide a better argument. For instance there are packages that depend on virtual/linux-sources, and some package needs to provide that virtual ... so, if those using deblob (as its required for @FREE) are asked to download the sources from kernel.org then that makes a bit of a mockery of 'package management' ... which of course ACCEPT_LICENSE is an integral part of.

Code:
# equery -NC depends virtual/linux-sources
 * These packages depend on virtual/linux-sources:
net-firewall/ipset-6.21.1 (kernel_linux ? virtual/linux-sources)

I could probably provide more reasons, but right now I'm completely beat :P

best ... khay
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 37

PostPosted: Fri Jan 23, 2015 4:15 pm    Post subject: Reply with quote

galoisghost wrote:

Good point. Time for a bug report.

edit: https://bugs.gentoo.org/show_bug.cgi?id=537132

Thanks for the bug report!

Seems like nobody is going to fix this.
I was considering to run the deblob script myself after installing gentoo-sources,
but as it turns out there is apparently no straight forward way of verifying the download of this script,
since there are no signatures and the download is unencrypted.
They told me there are other ways to do this, which I don't yet quite understand, so since it might take me
a while to do this manually, I am now considering to switch to hardened-sources in order to get the next update.
But before I do that I would like your opinions on how likely it is that deblob support will be removed from
hardened-sources as well any time soon, since it was also removed from vanilla-sources recently.
Starts to look like a pattern..
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3436
Location: The Peanut Gallery

PostPosted: Sat Jan 24, 2015 2:21 am    Post subject: Reply with quote

galoisghost wrote:
Good point. Time for a bug report.
https://bugs.gentoo.org/show_bug.cgi?id=537132

litan wrote:
Thanks for the bug report!

Seems like nobody is going to fix this.
I was considering to run the deblob script myself after installing gentoo-sources,
but as it turns out there is apparently no straight forward way of verifying the download of this script,
since there are no signatures and the download is unencrypted.

Huh? That doesn't make any sense, since there's supposed to be a manifest, with precisely those signatures for files downloaded.
Quote:
They told me there are other ways to do this, which I don't yet quite understand, so since it might take me
a while to do this manually, I am now considering to switch to hardened-sources in order to get the next update.
But before I do that I would like your opinions on how likely it is that deblob support will be removed from
hardened-sources as well any time soon, since it was also removed from vanilla-sources recently.
Starts to look like a pattern..

I'd ask in #gentoo-hardened about that. It seems pretty likely to me, unless someone sorts out the original bug about the download paths.

It doesn't look that hard to me; from the upstream url there are LATEST-X.Y.z directories, as well as straight explicitly-versioned eg 3.18.3-gnu. From what I can gather we don't want to use the LATEST- part, just the normally-versioned path, though we need to sort out how the current ebuild is "including only branch instead of specific version in names of downloaded files."
Code:
if [[ ${KV_MAJOR} -ge 3 ]]; then
    DEBLOB_PV="${KV_MAJOR}.${KV_MINOR}"
fi

DEBLOB_A="deblob-${DEBLOB_PV}"
DEBLOB_CHECK_A="deblob-check-${DEBLOB_PV}"
DEBLOB_HOMEPAGE="http://www.fsfla.org/svnwiki/selibre/linux-libre/"
DEBLOB_URI_PATH="download/releases/LATEST-${DEBLOB_PV}.N"
if ! has "${EAPI:-0}" 0 1 ; then
    DEBLOB_CHECK_URI="${DEBLOB_HOMEPAGE}/${DEBLOB_URI_PATH}/deblob-check -> ${DEBLOB_CHECK_A}"
else
    DEBLOB_CHECK_URI="mirror://gentoo/${DEBLOB_CHECK_A}"
fi
DEBLOB_URI="${DEBLOB_HOMEPAGE}/${DEBLOB_URI_PATH}/${DEBLOB_A}"

Both "$DEBLOB_A" and "$DEBLOB_CHECK_A" end with "$DEBLOB_PV" which has been set to eg 3.4 at the top, when it should remain the full version (or eg: 3.18.3-gnu). So it's not hard to sort out; it just needs a bit of tweaking and testing.

Try it and see?
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 37

PostPosted: Fri Feb 06, 2015 3:03 am    Post subject: Reply with quote

steveL, thanks for your suggestions, but I am too unexperienced to do the necessary tweaking.

I have a follow-up to this:

gentoo-sources-3.17.8-r1 has been released as stable, but it does not appear in my world updates,
because of my license settings. This happens silently. I didn't receive a gentoo news item and
emerge doesn't say a word about the fact that I am missing an update or that an installed package is masked:

Code:
# emerge -avuDN --with-bdeps=y @world

These are the packages that would be merged, in order:

Calculating dependencies... done!

Total: 0 packages, Size of downloads: 0 KiB

Nothing to merge; quitting.


After allowing freedist for gentoo-sources, the update is properly listed for merging:

Code:
# emerge -avuDN --with-bdeps=y @world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  NS    ] sys-kernel/gentoo-sources-3.17.8-r1:3.17.8-r1 [3.12.21-r1:3.12.21-r1, 3.14.14:3.14.14, 3.16.5:3.16.5, 3.17.7:3.17.7] USE="deblob -build -experimental -symlink" 298 KiB

Total: 1 package (1 in new slot), Size of downloads: 298 KiB

Would you like to merge these packages? [Yes/No]


..with the deblob flag still present but without having any effect, which also looks wrong and misleading to me.

I don't know if I understand this correctly, since I am fairly new to Gentoo, but is this actually how Gentoo is
supposed to handle something like that or should the bug 537132 be reopened or is this a new bug?

Let's suppose someone didn't follow this discussion or notice the kernel being masked otherwise.
How would one know that something is wrong with the license settings, which were working perfectly before?
Is it possible that there are Gentoo users out there with the same license settings who will remain
ignorant about the fact that new kernel versions are being released while thinking their system is
perfectly up to date and secure (I suppose there are security updates incorporated into new kernels)?
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2949

PostPosted: Sun Feb 08, 2015 2:22 pm    Post subject: Reply with quote

litan wrote:
I don't know if I understand this correctly, since I am fairly new to Gentoo, but is this actually how Gentoo is supposed to handle something like that or should the bug 537132 be reopened or is this a new bug?

litan ... it would seem to me that the central question here is that of ACCEPT_LICENSE being handled consistently. If deblob is to be dropped then this makes the provision of ACCEPT_LICENSE="-* @FREE" non-operable, because the very idea of ACCEPT_LICENSE is that it stipulates a condition for the entire install. If this is non-operable it should be stated that such a licence condition is not supported because the very purpose of ACCEPT_LICENSE is to set such a condition.

I don't particularly see deblob as something enabling "-* @FREE", obviously the user can deselect a menu item that involves blobs and so avoid any such code, or as suggested run deblob themselves subsequent to the package merge, so, this is really a statement about the purpose of ACCEPT_LICENSE itself, rather than how to avoid the use of such blobs.

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum