Updating @world with conflicting USE flags

Message

Torpus · Post by **Torpus** » Sun Oct 08, 2023 8:16 am

Hey folks!

I know that by updating the whole Gentoo it's possible to just:

emerge -aqUDN --autounmask --autounmask-continue @world

But I have a little issue especially when I have hardened+SELinux+unstable:

Some packages set their own USE flags by default which is annoying:

Code: Select all

!!! Problem resolving dependencies for sys-fs/lvm2 from @selected

!!! The ebuild selected to satisfy "sys-fs/lvm2" has unmet requirements.
- sys-fs/lvm2-2.03.22-r2::gentoo USE="lvm readline (selinux) static-libs udev -sanlock -static -systemd -thin -valgrind" ABI_X86="(64)"

  The following REQUIRED_USE flag constraints are unsatisfied:
    static-libs? ( static !udev )

  The above constraints are a subset of the following complete expression:
    static? ( !systemd !udev ) static-libs? ( static !udev ) systemd? ( udev ) thin? ( lvm )

(dependency required by "@selected" [set])
(dependency required by "@world" [argument])

I know there might be some packages that need specific things but my question is: How can I set or remove USE flags for specific packages in some config file before updating @world?

Like I also want to disable the doc USE flag specifically for dev-lang/ghc since with it the package fails to emerge...

Thanks in advance :)

alamahant · Post by **alamahant** » Sun Oct 08, 2023 8:44 am

This

emerge -aqUDN --autounmask --autounmask-continue @world

should be

Code: Select all

emerge -aquUDv --autounmask --autounmask-continue @world

You miss the "u" for update and you don't need "N".
"U" will suffice.
"v" for verbose.
As for per package USE flags something like

Code: Select all

echo "some/package use1 use2 use3" > /etc/portage/package.use/<package-name>
or
echo "=some/package-<version> use1 use2 use3" > /etc/portage/package.use/<package-name>

The hierarchy of USE flags is
profile->make.conf->package.use

You seem to have universal USE="static-libs" in make.conf.
Plz don't.

Post by **NeddySeagoon** » Sun Oct 08, 2023 8:47 am

Torpus,

--autounmask in all its forms will destroy your install, or a least, force you to learn things about Gentoo you can learn no other way.

It effect, whet portage cannot solve the dependency tree, it says please guess. When the guess is wrong, portage will try to install things anyway, which just make a bad situation worse.
The you have to unpick the error and are forced to understand the original problem.
You may as well do that now and avoid getting out of the hole you are telling portage to dig for you.

To answer your question, /etc/portage/package.use is used to set per package USE flags. Be warned that setting some flags on a per package basis will require certain settings on other packages too.

Code: Select all

  The following REQUIRED_USE flag constraints are unsatisfied:
    static-libs? ( static !udev )

That says that if you want static-libs on sys-fs/lvm2-2.03.22-r2::gentoo then you must also set USE=static -udev on sys-fs/lvm2-2.03.22-r2 too.
About the only use for that is in an initrd. Some context about why would help us to help you.

Is it for an initrd?

Why hardened and SELinux?
What is your threat model?

Torpus · Post by **Torpus** » Sun Oct 08, 2023 10:54 am

alamahant,

I thought that v is the opposite of q

I actually have -static-libs, but I think I undrestand why lvm needs it..

I have a custom initramfs on the /boot partition and my rootfs is encrypted. So lvm2 must be static.

Okay, at least that issue is fixed, but I'm into another one...

NeddySeagoon,

--autounmask is to me the best solution for when Portage complains so many times about packages and have to fix them manually, also without it Portage will only install the "stable" packages which are mostly outdated (especially when the Gentoo devs have to play around with different USE flags to make sure everything's okay as far as I believe)

NeddySeagoon wrote:Is it for an initrd?

Why hardened and SELinux?
What is your threat model?

>Yes.
>Well, I don't know I just did that..

>I just want privacy (and protection from malware even though 99% of it is made for Windows). I don't wanna let adversaries online to check everything I'm doing, but maybe that's a thing related to networking, VPN, Tor, browsers, etc and not with Gentoo specifically.

Portage now displays this issue here:

Code: Select all

!!! Multiple package instances within a single package slot have been pulled
!!! into the dependency graph, resulting in a slot conflict:

virtual/rust:0

  (virtual/rust-1.73.0:0/llvm-17::gentoo, ebuild scheduled for merge) USE="-rustfmt" ABI_X86="(64) -32 (-x32)" pulled in by
    =virtual/rust-1.73.0 required by (dev-util/bindgen-0.68.1-2:0/0::gentoo, installed) USE="-debug" ABI_X86="(64) -32 (-x32)"
    ^             ^^^^^^                                                                                                                                                                                                                                         
    (and 6 more with the same problem)

  (virtual/rust-1.72.0-r1-1:0/llvm-16::gentoo, installed) USE="-rustfmt" ABI_X86="(64) -32 (-x32)" pulled in by
    =virtual/rust-1.72.0-r1 required by (www-client/librewolf-118.0.1_p1:0/118::librewolf, ebuild scheduled for merge) USE="X clang gmp-autoupdate hardened jumbo-build (selinux) system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-webp -dbus -debug -eme-free -geckodriver -hwaccel -jack -libproxy -lto -openh264 -pgo -pulseaudio -screencast -sndio -system-png (-system-python-libs) -telemetry -valgrind -wayland -wifi" ABI_X86="(64)" L10N="-ach -af -an -ar -ast -az -be -bg -bn -br -bs -ca -ca-valencia -cak -cs -cy -da -de -dsb -el -en-CA -en-GB -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -ff -fi -fr -fur -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb -hu -hy -ia -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mk -mr -ms -my -nb -ne -nl -nn -oc -pa -pl -pt-BR -pt-PT -rm -ro -ru -sc -sco -si -sk -sl -son -sq -sr -sv -szl -ta -te -th -tl -tr -trs -uk -ur -uz -vi -xh -zh-CN -zh-TW"
    ^             ^^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
    virtual/rust:0/llvm-16 required by (www-client/icecat-115.3.0:0/0::src_prepare-overlay, ebuild scheduled for merge) USE="X clang hardened (selinux) system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-webp -dbus -debug -geckodriver -hwaccel -jack -libproxy -lto -openh264 -pgo -pulseaudio -screencast -sndio -system-png -system-python-libs -wayland -wifi" ABI_X86="(64)" L10N="-ach -af -an -ar -ast -az -be -bg -bn -br -bs -ca -ca-valencia -cak -cs -cy -da -de -dsb -el -en-CA -en-GB -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -ff -fi -fr -fur -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb -hu -hy -ia -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mk -mr -ms -my -nb -ne -nl -nn -oc -pa -pl -pt-BR -pt-PT -rm -ro -ru -sc -sco -si -sk -sl -son -sq -sr -sv -szl -ta -te -th -tl -tr -trs -uk -ur -uz -vi -xh -zh-CN -zh-TW"
                ^^^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
    (and 2 more with the same problems)

I think it can be "enough" to just emerge the packages manually but... it might be extremely time consuming...

I mean LLVM and Clang need sometimes to switch from version 17 to 16 and vice versa, and despite I had emerged both versions before Portage has to recompile these in every single switch, and pretty much it'd do the same with Rust, I think.

Post by **NeddySeagoon** » Sun Oct 08, 2023 11:58 am

Torpus,

Take time to understand what you are doing now. It will save time overall.
Less haste more speed. :)

If you want a testing system tell portage that. I'm not telling you how. Part of understanding is the discovery.
Hardened and SELinux protect against different things and use different assumptions.

SELinux is aimed at limiting what untrusted ordinary users can do. If you are the only user and you don't trust yourself, SELinux won't help as you also have root.
Hardened helps make exploits harder. Not impossible, just more difficult and time consuming. The idea is to encourage an attacker to find a Windows XP system to attack instead.
But there is the obligatory xkcd to keep in mind too.

There is no need to use the same USE flags in the initrd as you do in the live system. Indeed it's a good idea not to.
See Building the Binaries. That whole wiki page is worth reading.

So lvm2 must be static.

Once upon a time :) it was traditional to build everything for the initrd statically linked. It was a tradition, not a requirement. Its been eroded over the years but the myth still persists.
Anything and everything in the initrd can be dynamically linked provided the dynamic linker and all the required libraries are included.

Code: Select all

$ lddtree /sbin/lvm
/sbin/lvm (interpreter => /lib64/ld-linux-x86-64.so.2)
    libdevmapper-event.so.1.02 => /lib64/libdevmapper-event.so.1.02
        libdevmapper.so.1.02 => /lib64/libdevmapper.so.1.02
            libm.so.6 => /lib64/libm.so.6
    libreadline.so.8 => /lib64/libreadline.so.8
        libtinfow.so.6 => /lib64/libtinfow.so.6
    libblkid.so.1 => /lib64/libblkid.so.1
    libaio.so.1 => /lib64/libaio.so.1
    libc.so.6 => /lib64/libc.so.6

By not using the system binaries, which tend to evolve changed dependencies with time, its possible to update the initrd init script to change hard coded things at any random future date, without fretting about updating the dependency tree for the initrd.

--autounmask is a problem not a solution.
--autounmask -p is safe as you can look at what portage guesses and see if its sensible.
If it wants to install masked packages or 'live' versions, its leading you astray. That's the worst excesses of --autounmask.

Torpus · Post by **Torpus** » Sun Oct 08, 2023 6:50 pm

NeddySeagoon,

NeddySeagoon wrote:Take time to understand what you are doing now. It will save time overall.
Less haste more speed.

Ugh.. it's a really steep learning curve

But since you use a comfy Gentoo, so can I.

NeddySeagoon wrote:If you want a testing system tell portage that.

Code: Select all

ACCEPT_KEYWORDS="~amd64"

Already set since my very first installation attempt

NeddySeagoon wrote:SELinux won't help as you also have root.

So... it's technically "bloat". I don't want it, I think changing the profile and removing the selinux packages will solve it. I'll think about it..

NeddySeagoon wrote:But there is the obligatory xkcd to keep in mind too.

Oh no... that thing I totally forgot about.

I believe that the only way to mitigate this is advanced TOTAL online anonymity.. but encrypting and hiding the "secrets" within an encrypted disk (and plausible deniability?) can be possible

NeddySeagoon wrote:There is no need to use the same USE flags in the initrd as you do in the live system. Indeed it's a good idea not to.

It sounds sort of inconvenient... I'll still have to know how to isolate initrd-related packages to these and remove them from @world so that I can put them then in another set.

NeddySeagoon wrote:Anything and everything in the initrd can be dynamically linked provided the dynamic linker

Oh, I used to believe that they had to be static since they're in the /boot partition, it seems that it ain't. The initrd is formed when these software are installed just like GRUB

To me building statically now are totally pointless! (maybe even BusyBox for the initramfs)

NeddySeagoon wrote:If it wants to install masked packages or 'live' versions, its leading you astray. That's the worst excesses of --autounmask.

But without it I couldn't install any package I want

Haven't you ever tried installing an "essential" package and found out it's masked? Do you actually CHECK and unmask them manually to make sure everything's safe?

Now the slot conflict is something I should look out myself.. I'll post if I'm stuck

There're a few other issues I'll later talk about.. that's Install Gentoo

Post by **NeddySeagoon** » Sun Oct 08, 2023 8:41 pm

Torpus,

But without it I couldn't install any package I want :? Haven't you ever tried installing an "essential" package and found out it's masked? Do you actually CHECK and unmask them manually to make sure everything's safe? 8O

I occasionally find I need a masked package. I make sure I understand the risks and the reason for the mask before I install it.
In a word yes, that's what I do.

You will only climb the learning curve once.

You cannot have TOTAL online anonymity. Traffic analysis will show who you communicate with on line. The packet content can be encrypted but the headers must be clear text or routing will fail.
Services like tor and VPNs make the traffic analysis harder.
Where do you find a VPN provider that you can trust?

Plausible deniability is not possible if you use trim.

NeddySeagoon wrote:
There is no need to use the same USE flags in the initrd as you do in the live system. Indeed it's a good idea not to.

It sounds sort of inconvenient... I'll still have to know how to isolate initrd-related packages to these and remove them from @world so that I can put them then in another set.

It may be if the initrd needs to be maintained as it would if it included ssh access. If the initrd is just user space tools, the only reason to update it it to change the init script that it contains.
Its like firmware. My April 2009 initrd still works.

The initrd is a root filesystem in a file. That's all. It can contain anything the root filesystem contains.
e.g. Use bash or some random shell if you like. Busybox is usually used as the shell is good enough and it provides lots of cut down utilities for free too.
If you drop busybox for another shell, you will need to provide the user space tools you require too.

You are the designer of your distro. Think about what you want and how you will achieve it before you pick up your live USB.
Make notes too. Leave plenty of room for changes. You will make changes.

Torpus · Post by **Torpus** » Sun Oct 08, 2023 9:13 pm

NeddySeagoon,

NeddySeagoon wrote:In a word yes, that's what I do.

NeddySeagoon wrote:You will only climb the learning curve once.

I believe that despite this it's so easy for you to handle it (and it's uncomplicated). It's all about how one's familiar with Gentoo. Gentoo must be /comfy/ if the Gentooer knows it well.

While installing Gentoo I can't think of myself using anything else..

Larry the Cow was a bit frustrated at the current state of Linux distributions...
...until he tried Gentoo Linux

NeddySeagoon wrote:Traffic analysis will show who you communicate with on line.

Yes, no matter how a computer is "anonymous" that's the one thing tracked by ISP that can be used to reveal the real identity over time.. no mitigation for it is found yet. :(

VPNs can't be trusted but some are better than other, ideally a self-hosted VPN is the solution.

NeddySeagoon wrote:You are the designer of your distro. Think about what you want and how you will achieve it before you pick up your live USB.
Make notes too. Leave plenty of room for changes. You will make changes.

That's a but hard for a n00b. I did make a general idea of it but haven't gone specific yet. At this time now *almost* everything's good except for a little thing which I'm not sure you know about..

Is it normal for Portage to re-emerge LLVM/Clang/Rust in order to use either version 16 or 17 to compile a specific package that needs either one of them? It's happening a me & it's so annoying. Maybe THIS is an issue caused by me unmasking everything. It might be mitigated by deleting zz-autounmask file.

Torpus · Post by **Torpus** » Mon Oct 09, 2023 4:18 am

LOL. Just realized that removing SELinux requires a fresh re-installation. Had a good cry over that.

EDIT: In fact I'm gonna keep it. Despite being the only user SELinux can still do something if set up properly:

someone wrote:SELinux is designed to sandbox apps so they can only perform specific approved functions. for instance, if a site tricked your browser into downloading and installing a RASKit, SELinux would (assuming your profile is correctly defined) prevent the RASKit from being installed.

In addition to applications that receive remote input like browsers, SELinux (once again, when properly used) will also protect against rogue apps, masquerading as trusted ones. If your distros repositories are comprimised for instance, and tricked into pushing down bad versions of updates to your applications, SELinux should prevent them from taking actions that the legitimate version was not allowed to take.

Mandatory Access Control isn't so much about users, as it is about applications, and SELinux or AppArmor are designed to prevent these applications from exceeding their expected levels of privilege. This is especially import for applications you run as root.

Check this also

I think it's the one responsible for making net.wlp2s0 inactive and not make me able to use dnsmasq because of that. That'll be kept for later.

Post by **NeddySeagoon** » Mon Oct 09, 2023 8:21 am

Torpus,

Is it normal for Portage to re-emerge LLVM/Clang/Rust in order to use either version 16 or 17 to compile a specific package that needs either one of them? It's happening a me & it's so annoying. Maybe THIS is an issue caused by me unmasking everything. It might be mitigated by deleting zz-autounmask file.

I never check. I kick off the update and let it run in the background.

You may be able to cheat a little by saving binary packages and adding -k to your emerge command. That means to use binaries if possible.
Hmm ... llvm is slotted ...

Code: Select all

[I] sys-devel/llvm
     Available versions:  
     (14)   14.0.6-r4^t
     (15)   15.0.7-r3(15/15)^t{tbz2}
     (16)   16.0.6(16/16)^t{tbz2}
     (17)   **17.0.0_rc4(17/17)^t (~)17.0.1(17/17)^t{tbz2} **17.0.1.9999(17/17)*l^t
     (18)   **18.0.0_pre20230906(18/18.0.0_pre20230906)^t **18.0.0_pre20230925(18/18.0.0_pre20230925)^t **18.0.0.9999(18/18.0.0.9999)*l^t

Its not clear there but I have slots 16 and 17 installed. Is llvm rebuilding or adding a new slot?
Slots allow for multiple versions to be installed at the same time. Things that depend on llvm can also depend on a particular slot. Rust is not slotted, so that doesn't apply.
Testing Rust is updated fairly often though.

LOL. Just realized that removing SELinux requires a fresh re-installation. Had a good cry over that. :lol:

That's part of the learning curve.

EDIT: In fact I'm gonna keep it. Despite being the only user SELinux can still do something if set up properly:

I'll add that to the list of things I've learned. Thank you.

Torpus · Post by **Torpus** » Mon Oct 09, 2023 6:46 pm

NeddySeagoon,

I'm updating @world now. I just checked and it was all just because some sort of new USE flag was added. :lol:

Yes, just one USE flag rebuilds it again. I get it now. Oops!

NeddySeagoon wrote:I'll add that to the list of things I've learned. Thank you.

You're welcome :)