On Tue, Oct 5, 2010 at 7:41 PM, Donnie Berkholz <dberkholz@gentoo.org> wrote:
> On 15:52 Tue 05 Oct Â* Â* , "PaweÅ‚ Hajdan, Jr." wrote:
>> The meaning is identical in all those cases, and I think the number of
>> packages may have hit the threshold for a global flag.
>>
>> However, we already have a very similar global USE flag: sqlite, which
>> makes this a bit more tricky. The difference is very subtle:
>>
>> IUSE="sqlite" means "the sqlite support is optional; -sqlite means no
>> sqlite support"
>>
>> IUSE="system-sqlite" means "we can use the bundled sqlite or the
>> system one; -system-sqlite means we use the bundled one; both settings
>> result in sqlite support"
>>
>> If we'd make system-sqlite a global USE flag, I'd suggest a
>> description like "Use the system-wide dev-db/sqlite instead of bundled
>> copy of sqlite."
>
> I think making this a global flag implicitly endorses building bundled
> code as an OK thing to do. Why is it an option at all, local or
> otherwise?
>

The reason is that with SQLITE_SECURE_DELETE, sqlite zeroes out
portions that have been deleted causing a very noticeable drop in
performance. This may be acceptable for browsers, but is rarely
desirable system-wide. See
https://bugzilla.mozilla.org/show_bug.cgi?id=546162 for details.

To fix this problem sqlite upstream made a specific change allowing a
#pragma to be used to define where secure-delete is required, avoiding
the need to use secure-delete *everywhere*.[1] However, Mozilla
upstream considers the two-line-change[2] an unacceptable level of
maintenance burden, and refused to implement it[3].

I presume Chromium upstream has a similar stance on the issue, hence
making the use-flag necessary for us since we (at least mozilla team)
avoid adding patches that are not upstream yet.

1. https://bugzilla.mozilla.org/show_bug.cgi?id=546162#c8
2. https://bugzilla.mozilla.org/show_bug.cgi?id=546162#c11
3. https://bugzilla.mozilla.org/show_bug.cgi?id=546162#c15
--
~Nirbheek Chauhan

Gentoo GNOME+Mozilla Team

On Tuesday, October 05, 2010 10:35:57 Nirbheek Chauhan wrote:
> To fix this problem sqlite upstream made a specific change allowing a
> #pragma to be used to define where secure-delete is required, avoiding
> the need to use secure-delete *everywhere*.

so what you're saying is that this USE flag can die once people fix/update
their packages
-mike

On Wed, Oct 6, 2010 at 7:36 AM, Mike Frysinger <vapier@gentoo.org> wrote:
> On Tuesday, October 05, 2010 10:35:57 Nirbheek Chauhan wrote:
>> To fix this problem sqlite upstream made a specific change allowing a
>> #pragma to be used to define where secure-delete is required, avoiding
>> the need to use secure-delete *everywhere*.
>
> so what you're saying is that this USE flag can die once people fix/update
> their packages
> -mike
>

What I'm saying is that mozilla team will not do it unless you either:

(a) You convince/bribe/cluebat upstream (we've tried and failed), or
(b) You write a patch that you promise to maintain forever with quick
responses for security bumps

Keep in mind that firefox usually only works with a very narrow range
of sqlite versions. If it's too low, it won't compile, or have runtime
failures (when they forget to update the min system-sqlite version).
If it's too high, it'll have strange runtime bugs since firefox relies
too heavily on existing sqlite behaviour[1].

1. https://bugzilla.mozilla.org/show_bug.cgi?id=583611
--
~Nirbheek Chauhan

Gentoo GNOME+Mozilla Team

On Tue, 05 Oct 2010 15:52:42 +0200
"Paweł Hajdan, Jr." <phajdan.jr@gentoo.org> wrote:

> The meaning is identical in all those cases, and I think the number of
> packages may have hit the threshold for a global flag.
>
> <...>
>
> If we'd make system-sqlite a global USE flag, I'd suggest a description
> like "Use the system-wide dev-db/sqlite instead of bundled copy of sqlite."
>
> What do you think?

This isn't a flag that should ever be used outside of a specific use-case,
which is itself a workaround for retarded upstream policies. Making it global
has zero advantages.

--
fonts, gcc-porting, we hold our breath, we spin around the world
toolchain, wxwidgets you and me cling to the outside of the earth
@ gentoo.org EFFD 380E 047A 4B51 D2BD C64F 8AA8 8346 F9A4 0662

On Tuesday, October 05, 2010 23:04:32 Nirbheek Chauhan wrote:
> On Wed, Oct 6, 2010 at 7:36 AM, Mike Frysinger wrote:
> > On Tuesday, October 05, 2010 10:35:57 Nirbheek Chauhan wrote:
> >> To fix this problem sqlite upstream made a specific change allowing a
> >> #pragma to be used to define where secure-delete is required, avoiding
> >> the need to use secure-delete *everywhere*.
> >
> > so what you're saying is that this USE flag can die once people
> > fix/update their packages
>
> What I'm saying is that mozilla team will not do it unless you either:
>
> (a) You convince/bribe/cluebat upstream (we've tried and failed), or
> (b) You write a patch that you promise to maintain forever with quick
> responses for security bumps
>
> Keep in mind that firefox usually only works with a very narrow range
> of sqlite versions. If it's too low, it won't compile, or have runtime
> failures (when they forget to update the min system-sqlite version).
> If it's too high, it'll have strange runtime bugs since firefox relies
> too heavily on existing sqlite behaviour[1].

so getting back to the original question: no, this should not be a global USE
flag, and yes, this local flag should die.
-mike