Weekly portage-stable package updates 2024-11-11

[github-actions]

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1839/cldsv/

• net-dns/bind-tools is deprecated in favor of net-dns/bind
  • net-dns/bind requires a bunch of installation masks and package.provided entries to avoid installing unnecessary stuff (named binaries, named user and group packages)
  • packages in overlay are updated, so they pull in bind instead of bind-tools
• dev-util/bpftool started to depend unconditionally on clang, so that the co-re stuff gets built
  • llvm and clang are quite large and slow-to-build additions to SDK, so not sure if there's a point in pulling those, especially that software needing co-re will probably come with their own needed builds in the docker image anyway
  • worked it around by masking some llvm slots for the bpftool package
  • the updated version in Gentoo will put clang behind a USE flag
• sys-boot/mokutils got a ** accept keywords because it's missing a keyword for arm64, so an older version was being pulled in…

--

• app-arch/libarchive: [PROD] [DEV]

  • from 3.7.6 to 3.7.7
  • release notes: https://github.com/libarchive/libarchive/releases/tag/v3.7.7

• app-containers/aardvark-dns: [SYSEXT-PODMAN]

  • from 1.12.2 to 1.12.2-r1
  • revision bump for slotted Rust

• app-containers/docker: [DOCKER]

  • from 27.2.1 to 27.3.1
  • release notes: https://github.com/moby/moby/releases/tag/v27.3.1

• app-containers/docker-cli: [DOCKER]

  • from 27.2.1 to 27.3.1
  • release notes: https://github.com/moby/moby/releases/tag/v27.3.1

• app-containers/netavark: [SYSEXT-PODMAN]

  • from 1.12.2 to 1.12.2-r1
  • revision bump for slotted Rust

• app-containers/podman: [SYSEXT-PODMAN]

  • still at 5.2.4
  • fixed relabeling issue
  • dropped obsolete accept keywords from overlay profiles

• app-doc/eclass-manpages:

  • from 20241015 to 20241109
  • release notes: none

• app-eselect/eselect-rust:

  • still at 20210703
  • EAPI 8

• app-portage/gentoolkit: [DEV]

  • from 0.6.7 to 0.6.8
  • release notes: https://gitweb.gentoo.org/proj/gentoolkit.git/log/?h=gentoolkit-0.6.8

• dev-build/autoconf:

  • from 2.71-r7 to 2.72-r1
  • EAPI 8
  • release notes: https://lists.gnu.org/archive/html/autotools-announce/2023-12/msg00003.html

• dev-build/cmake:

  • from 3.30.2 to 3.30.5
  • release notes: https://cmake.org/cmake/help/v3.30/release/3.30.html#id5

• dev-build/make: [DEV]

  • from 4.4.1-r1 to 4.4.1-r100
  • bumped revision because of a switch to guile-single eclass

• dev-debug/gdb: [DEV]

  • from 15.2 to 15.2-r100
  • bumped revision because of a switch to guile-single eclass

• dev-lang/python-exec: [AZURE] [DEV] [GCE] [SYSEXT-PYTHON]

  • still at 2.4.10
  • bumped python compat to 3.10..13

• dev-lang/rust:

  • from 1.81.0 to 1.81.0-r100
  • revision bump because of making rust slotted
  • dropped profiler USE flag, enabled unconditionally
  • pull in new package - dev-lang/rust-common

• dev-libs/elfutils: [PROD] [DEV]

  • from 0.191-r1 to 0.191-r2
  • added USE=static-libs, not enabled
    • used to be there before, so it's brought back

• dev-libs/jsoncpp:

  • still at 1.9.6-r2
  • became stable, so dropped accept keywords from overlay profiles

• dev-libs/libmspack: [VMWARE]

  • from 0.10.1_alpha-r1 to 1.11
  • release notes: https://github.com/kyz/libmspack/commits/v1.11/libmspack

• dev-libs/libpipeline: [DEV]

  • still at 1.5.8
  • regenerate libtool files

• dev-libs/libtraceevent:

  • from 1.7.3 to 1.8.3
  • release notes: https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/tag/?h=libtraceevent-1.8.3

• dev-libs/libtracefs:

  • from 1.7.0 to 1.8.1
  • release notes: https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/tag/?h=libtracefs-1.8.1

• dev-libs/libxml2: [PROD] [DEV]

  • from 2.12.7 to 2.12.8
  • bumped python compat to 3.10..13
  • release notes: https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.8

• dev-python/charset-normalizer: [SYSEXT-PYTHON]

  • from 3.3.2 to 3.4.0
  • release notes: https://github.com/jawah/charset_normalizer/releases/tag/3.4.0

• dev-python/cryptography:

  • from 43.0.1 to 43.0.3-r1
  • release notes: https://github.com/pyca/cryptography/blob/43.0.3/CHANGELOG.rst

• dev-python/distlib: [SYSEXT-PYTHON]

  • from 0.3.8 to 0.3.9
  • release notes: https://github.com/pypa/distlib/blob/0.3.9/CHANGES.rst

• dev-python/hatchling:

  • from 1.25.0 to 1.25.0-r1
  • bumped revision because of trove-classifiers dependency bump

• dev-python/jaraco-functools: [SYSEXT-PYTHON]

  • from 4.0.2 to 4.1.0
  • release notes: https://github.com/jaraco/jaraco.functools/blob/v4.1.0/NEWS.rst

• dev-python/jinja2:

  • still at 3.1.4
  • renamed from dev-python/jinja

• dev-python/markupsafe:

  • from 2.1.5 to 3.0.2
  • added USE=native-extensions, enabled by default
  • release notes: https://github.com/pallets/markupsafe/releases/tag/3.0.2

• dev-python/pillow:

  • from 10.4.0 to 11.0.0-r1
  • release notes: https://pillow.readthedocs.io/en/stable/releasenotes/11.0.0.html

• dev-python/pyproject-hooks: [SYSEXT-PYTHON]

  • from 1.1.0 to 1.2.0
  • release notes: https://github.com/pypa/pyproject-hooks/blob/v1.2.0/docs/changelog.rst

• dev-python/rich: [SYSEXT-PYTHON]

  • from 13.9.2 to 13.9.3
  • release notes: https://github.com/Textualize/rich/releases/tag/v13.9.3

• dev-python/setuptools: [SYSEXT-PYTHON]

  • from 74.1.3 to 74.1.3-r1
  • bumped revision because of trove-classifiers dependency bump

• dev-python/trove-classifiers: [SYSEXT-PYTHON]

  • from 2024.9.12 to 2024.10.21.16
  • release notes: https://github.com/pypa/trove-classifiers/commits/2024.10.21.16/

• dev-python/truststore: [SYSEXT-PYTHON]

  • from 0.9.2 to 0.10.0
  • release notes: https://github.com/sethmlarson/truststore/blob/v0.10.0/CHANGELOG.md

• dev-util/bpftool: [PROD] [DEV]

  • downgraded from 7.5.0-r1 to 7.4.0
  • added unconditional build dependency on clang
    • worked around by masking the llvm_slot_18 USE flag, so llvm_gen_dep (which is used to generate the dependency) prints nothing
    • bpftool build system will detect a missing clang and act accordingly (by not building co-re infra)
  • the downgrade was done by Gentoo because of a broken vendored libbpf version

• dev-util/maturin:

  • from 1.7.1 to 1.7.4-r1
  • release notes: https://github.com/PyO3/maturin/blob/v1.7.4/Changelog.md

• eclass/cargo.eclass:

  • switched to slotted Rust
  • drops dependency on virtual/rust

• eclass/eapi7-ver.eclass:

  • unused, dropped

• eclass/eqawarn.eclass:

  • unused, dropped

• eclass/java-utils-2.eclass:

  • dropped unused/obsolete stuff

• eclass/rust.eclass:

  • added from Gentoo

• eclass/toolchain.eclass:

  • replaced dependency on virtual/rust with whatever rust eclass provides

• eclass/versionator.eclass:

  • unused, dropped

• net-misc/chrony: [AZURE]

  • still at 4.6
  • moved deps on acct-{group,user}/ntp from DEPEND to BDEPEND and RDEPEND

• net-misc/curl: [PROD] [DEV]

  • from 8.10.1 to 8.10.1-r1
  • became stable, so dropped accept keywords from overlay profiles

• net-misc/openssh: [PROD] [DEV]

  • from 9.8_p1-r2 to 9.8_p1-r3
  • added USE=legacy-ciphers, not enabled
    • enables support for deprecated, soon-to-be-dropped DSA keys

• profiles:

  • masked all non-slotted rust toolchain packages (virtual/rust, dev-lang/rust, dev-lang/rust-bin)
  • masked dev-util/bpftool 7.5.0-r{1,2} due to using unreleased libbpf

• sys-apps/azure-vm-utils: [PROD] [DEV]

  • from 0.3.0 to 0.4.0
  • release notes: https://github.com/Azure/azure-vm-utils/commits/v0.4.0/

• sys-apps/checkpolicy: [PROD] [DEV]

  • from 3.6 to 3.7-r1
  • EAPI 8
  • release notes: https://github.com/SELinuxProject/selinux/releases/tag/3.7

• sys-apps/ethtool: [PROD] [DEV]

  • still at 6.9
  • added virtual/pkgconfig to BDEPEND

• sys-apps/gawk: [PROD] [DEV]

  • from 5.3.0-r1 to 5.3.1
  • release notes: https://lists.gnu.org/archive/html/info-gnu/2024-09/msg00008.html

• sys-apps/zram-generator: [PROD] [DEV]

  • from 1.1.2 to 1.1.2-r1
  • revision bump for slotted Rust

• sys-block/thin-provisioning-tools: [PROD] [DEV]

  • from 1.0.10 to 1.0.10-r1
  • revision bump for slotted Rust

• sys-boot/gnu-efi:

  • from 3.0.18-r3 to 3.0.18-r5
  • nothing interesting

• sys-boot/mokutil: [PROD] [DEV]

  • from 0.6.0 to 0.7.2
  • release notes: https://github.com/lcp/mokutil/commits/0.7.2/

• sys-devel/gcc: [PROD] [DEV]

  • from 13.3.1_p20240614 to 13.3.1_p20241025
  • probably switching to slotted rust here

• sys-fs/squashfs-tools-ng:

  • from 1.3.1 to 1.3.2
  • release notes: https://github.com/AgentD/squashfs-tools-ng/blob/v1.3.2/CHANGELOG.md

• sys-libs/libcap: [PROD] [DEV]

  • still at 2.70
  • updated license

• sys-libs/libselinux: [PROD] [DEV]

  • from 3.6-r1 to 3.7-r1
  • EAPI 8
  • bumped python compat to 3.10..13
  • release notes: https://github.com/SELinuxProject/selinux/releases/tag/3.7

• sys-libs/libsepol: [PROD] [DEV]

  • from 3.6 to 3.7
  • EAPI 8
  • added USE=static-libs, enabled by default
  • release notes: https://github.com/SELinuxProject/selinux/releases/tag/3.7

• x11-libs/pixman:

  • still at 0.43.4
  • fixed build with new binutils

--

• changelog
• image diff

[dongsupark]

Interesting, because now bind-tools was dropped, while bind was added.
That means from now on we should double-check if new bind security issues affect Flatcar. So far we could ignore all daemon-related security issues of bind, because bind was never included. However, that is not the case any more.

[chewi]

Interesting, because now bind-tools was dropped, while bind was added. That means from now on we should double-check if new bind security issues affect Flatcar. So far we could ignore all daemon-related security issues of bind, because bind was never included. However, that is not the case any more.

The change upset quite a few people including myself, but I spoke with the great Sam, and he insisted it just wasn't practical to keep them split any more. I trust his judgement. I am well aware that bind is hit by many vulnerabilities, but we're install-masking the daemon binaries, so we can immediately discount these.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/11936185535

[chewi]

If it helps, I think INSTALL_MASK can be inverted with * -/usr/bin/dig -/usr/lib*/*.so* ….

[dongsupark]

The change upset quite a few people including myself, but I spoke with the great Sam, and he insisted it just wasn't practical to keep them split any more. I trust his judgement. I am well aware that bind is hit by many vulnerabilities, but we're install-masking the daemon binaries, so we can immediately discount these.

Thanks. Right, am relieved as daemon binaries are not installed. But it still needs double-checking because some shared libraries are now being installed.

/usr/lib64/libbind9-9.18.29.so
/usr/lib64/libbind9.so
/usr/lib64/libdns-9.18.29.so
/usr/lib64/libdns.so
/usr/lib64/libirs-9.18.29.so
/usr/lib64/libirs.so
/usr/lib64/libisc-9.18.29.so
/usr/lib64/libisc.so
/usr/lib64/libisccfg-9.18.29.so
/usr/lib64/libisccfg.so
/usr/lib64/libns-9.18.29.so
/usr/lib64/libns.so

On top of that, the bind ebuild does not provide USE flags for distinguishing client or server from each other. That is not a good sign for downstream distros like Flatcar.

[krnowak]

The change upset quite a few people including myself, but I spoke with the great Sam, and he insisted it just wasn't practical to keep them split any more. I trust his judgement. I am well aware that bind is hit by many vulnerabilities, but we're install-masking the daemon binaries, so we can immediately discount these.

Thanks. Right, am relieved as daemon binaries are not installed. But it still needs double-checking because some shared libraries are now being installed.

/usr/lib64/libbind9-9.18.29.so
/usr/lib64/libbind9.so
/usr/lib64/libdns-9.18.29.so
/usr/lib64/libdns.so
/usr/lib64/libirs-9.18.29.so
/usr/lib64/libirs.so
/usr/lib64/libisc-9.18.29.so
/usr/lib64/libisc.so
/usr/lib64/libisccfg-9.18.29.so
/usr/lib64/libisccfg.so
/usr/lib64/libns-9.18.29.so
/usr/lib64/libns.so

These need to be installed, because the tools are not statically linked anymore.

On top of that, the bind ebuild does not provide USE flags for distinguishing client or server from each other. That is not a good sign for downstream distros like Flatcar.

That would be useful, true. But probably will be deemed not practical, just like bind-tools ebuild was.