Tootfinder

Opt-in global Mastodon full text search. Join the index!

@mgorny@social.treehouse.systems
2024-04-15 12:18:23

If anyone has any doubts what state #Gentoo Foundation was in, here's yet another fun event: an ex-Trustee making a vote, seemingly without realizing he's no longer a Trustee for 2 years now…
bugs.gentoo.org/929012#c5
wiki.gentoo.org/wiki/Project:E

@mgorny@pol.social
2024-04-15 12:18:23

Jeżeli ktoś zastanawia się, w jakim stanie była #Gentoo Foundation, oto kolejny przykład: były powiernik oddaje głos, zdając się przy tym kompletnie nieświadomy, że już od dwóch lat nie jest powiernikiem…
bugs.gentoo.org/929012#c5

@mgorny@social.treehouse.systems
2024-06-16 17:26:43

Today's exercise: checking how many #Gentoo packages can be ported to #Python 3.13, while new kernel binary packages are building.
Then I'm going to have a hard exercise in rebasing.

@mgorny@pol.social
2024-06-16 17:26:17

Ćwiczenie na dziś: ile paczek #Gentoo uda się sportować do Pythona 3.13 w czasie, który potrzeba na zbudowaniu paczek binarnych dla nowych jąder.
Następne w kolejce jest ćwiczenie trudnego `git rebase`.
#Python

@mgorny@social.treehouse.systems
2024-06-16 17:26:43

Today's exercise: checking how many #Gentoo packages can be ported to #Python 3.13, while new kernel binary packages are building.
Then I'm going to have a hard exercise in rebasing.

@mgorny@pol.social
2024-04-16 06:24:48

#Setuptools w końcu zaimplementowało #PEP625, a dziś trafiłem na pierwsze archiwum sdist, wyprodukowane pzez setuptools, które korzysta z nowego nazewnictwa (było to cfn-lint, jeżeli jesteście ciekawi).
Dla #Gentoo

@mgorny@social.treehouse.systems
2024-04-16 05:28:32

On the Sunday's Council Meeting, #Gentoo has approved the new #AI contribution policy:
"""
It is expressly forbidden to contribute to Gentoo any content that has been created with the assistance of Natural Language Processing artificial intelligence tools. This motion can be revisited, should a case been made over such a tool that does not pose copyright, ethical and quality concerns.
"""
#LLM #NLP

@mgorny@social.treehouse.systems
2024-04-11 15:21:45

While looking for something, I accidentally dug up my first ::gentoo commit as a developer (I think). It was taking over… app-shells/posh. Yep, the thing that tried hard to be a strict POSIX shell.
#Gentoo

@xtaran@chaos.social
2024-05-14 17:35:57

#TIL: A #Xen #Dom0 running #Debian 12 Bookworm or #Gentoo

@mgorny@pol.social
2024-06-15 08:58:59

Dodałem do #Gentoo paczkę `dev-python/legacy-cgi`, jako port usuniętego z Pythona 3.13 modułu `cgi` (i `cgitb`). Zwracam jednak uwagę, że to jedynie rozwiązanie tymczasowe, zastosowane, by na wpół martwe paczki zaczęły działać, a nie coś, na czym powinno się długotrwale polegać. Tak więc już na wejściu oznaczyłem tę paczkę jako odradzaną (deprecated).
Najlepiej też unikać instalowania jej na sta…

@mgorny@social.treehouse.systems
2024-04-10 05:22:38

Of course, I can't start a day without being awfully angry about some shit.
So #Gentoo suddenly undoes USE=lzma [and USE=zstd] that used to be enabled by default in 23.0 profiles, apparently based on "consensus" on the mailing lists. The "consensus" boils down to one conspiracy theorist developer complaining, and being supported by 3 users whose Gentoo contributions boil down to having to express their opinions on everything on the mailing list.
This isn't only a problem, because Gentoo is letting itself be controlled by a vocal minority. This is a problem, because we've enabled something that can affect program output, told everyone to upgrade and rebuild their systems, then pulled the carpet from under them.
Wait, did that random app start using LZMA compression now that you've enabled it? Well, bad luck, you won't be able to open your files anymore. Surely, there's no better #security than not being able to do anything!
Unfortunately, sys-apps/kmod had explicit IUSE= lzma by default for a while now, so there's still a risk that you'll be able to boot your system. That's not good for security at all!
#xz

@mgorny@pol.social
2024-06-14 15:57:23

Po kolejnej rundzie portów do Pythona 3.13 w #Gentoo, przychodzi mi do głowy ten mem z wielką, zatłoczoną autostradą, tyle że z komentarz:
Tylko jeszcze jeden microframework! Obiecuję wam, jeszcze jeden microframework i wszystkie problemy zostaną rozwiązane!
#Python

@mgorny@social.treehouse.systems
2024-04-14 02:40:33

Re: #Fedora Strategy 2028: April 2024 Update
(via: #Gentoo will do in 2028, but today we're voting on banning #AI created content. Makes me think of that meme with crossroads leading into a sunny and a dark place.
marc.info/?l=gentoo-project&m=
communityblog.fedoraproject.or

@mgorny@pol.social
2024-05-14 19:13:46

#CPython 3.13 w #Gentoo ma dwie fajne, nowe flagi dla eksperymentalnych funkcji.
USE=jit − jak włączycie, to dostanie kompilację w czasie rzeczywistym, czyli kopa do wydajności kodu. Rzecz jasna, dostaniecie też przypadkowe segfaulty, itp.
USE=gil − jak wyłączycie, to pozbędzie się Global Interpret…

@mgorny@social.treehouse.systems
2024-06-15 08:59:00

I've added `dev-python/legacy-cgi` to #Gentoo, as a "forward-port" of the removed #Python `cgi` (and `cgitb`) module to Python 3.13. That said, it's only a stop-gap solution to make semi-dead packages work and not something you should rely on, so it's marked as deprecated immediately after being added.
Also, ideally please avoid keeping it installed in your dev environments. Once installed, all `import cgi` statements will suddenly start working, so you're going to miss Python 3.13 incompatibility issues (and therefore miss the dependency on this package).

@xtaran@chaos.social
2024-05-14 17:35:57

#TIL: A #Xen #Dom0 running #Debian 12 Bookworm or #Gentoo

@mgorny@pol.social
2024-06-15 09:44:57

O, super. Widzę, że #KryptoZiomki już osiągnęły ten poziom, że wysyłają ludziom #spam o "rozdawaniu" kryptowalut, i proszą o "prowizję dla znalazcy w ramach wdzięczności".
#Gentoo

@mgorny@social.treehouse.systems
2024-06-14 15:56:27

After another round of #Python 3.13 porting in #Gentoo, I'm imagining that huge crowded highway meme, except it's saying:
Just one more microframework! I promise you, one more microframework and all problems will be solved!

@mgorny@social.treehouse.systems
2024-05-14 19:13:45

#CPython 3.13 has some new fun flags for #Gentoo ricers.
USE=jit − enable to get Just-in-Time compiler and make stuff faster. Note that you're also going to see random segfaults, etc.
USE=gil − disable to get rid of Global Interpreter Lock and get a freethreading #Python. Expect some random breakage, race conditions, etc.

@mgorny@social.treehouse.systems
2024-06-15 09:44:56

Oh, great. So now #CryptoBros have gone as far as to #spam people about crypto "giveaways", and then request "founder's fee as gratitude".
#Gentoo

@mgorny@pol.social
2024-04-04 18:19:12

Wydarzył się cud! Udało mi się doprowadzić testy #SciKit Image do działania bez Internetu w #Gentoo!
Na marginesie:
1. Autorzy włączają większość niezbędnych danych w archiwum sdist. Tyle że ich nie używają, i zamiast tego ściągają je drugi raz, prosto z repozytorium na GitHubie. Wzdych. (Jeżeli czy…

@mgorny@social.treehouse.systems
2024-05-14 12:40:54

Here's my newest optimization idea for #Gentoo #Python: for pure Python packages and packages using the stable #CPython API, let's reuse previously built wheels if they're compatible instead of building them separately for each Python implementation.
This is mostly a major gain for the lot of packages using #setuptools when you're using multiple PYTHON_TARGETS, since calling into that build system has a significant cost. However, it also saves some actual compiling in the packages using the stable API (particularly, Rust packages).
github.com/gentoo/gentoo/pull/
bugs.gentoo.org/931689

@mgorny@pol.social
2024-05-12 18:35:18

Swoją drogą, jeżeli uważacie, że moje portowanie paczek pod Pythona 3.13 albo inna praca przy #Gentoo jest pomocna, rozważcie dorzucenie się do mojego funduszu na karmę dla kotów.
ko-fi.com/mgorny

@mgorny@social.treehouse.systems
2024-06-14 01:51:36

When someone reports a crash bug and the release fixing it only mentions "improving performance".
Well, I guess unaligned writes may degrade performance. Having #RustLang extension crash #Python ain't important after all.
#Gentoo

@mgorny@social.treehouse.systems
2024-05-12 18:35:17

By the way, if you find my #Python 3.13 porting or other #Gentoo work helpful, please consider donating to my cat food fund.
#donation

@mgorny@pol.social
2024-04-26 01:54:20

Dzisiejsze nagłówki gazet: dev #Gentoo, @…, oznacza Windows do usunięcia, przyznając, że są "bardzo stare" i "nie kompilują się z aktualnymi wersjami GNU Emacsa". Microsoft się nie spisał.

@mgorny@social.treehouse.systems
2024-04-04 18:19:10

It's a miracle! I've managed to make #SciKit Image tests work offline in #Gentoo!
That said:
1. Upstream includes most of the test data in sdist. Except they don't use it, and instead fetch it all from the GitHub repository. Sigh. (If you're upstream, please pretend you didn't see this and do not remove the data from sdist. Thanks.)
2. On top of that, they fetch more test data from an additional GitLab repository, and move and rename it around.
3. Yes, you've read right. They keep code on GitHub, but test data on GitLab.com (not self-hosted).
#Python

@mgorny@pol.social
2024-04-08 15:29:44
Content warning: Jadowity sarkazm

Nic nie przynosi mi więcej radości niż świadomość, że ktoś nowy aktywnie udziela się na listach mailingowych #Gentoo. Oczywiście, ten rodzaj, który nie tworzy żadnego kodu, za to musi koniecznie wyrazić swoją opinię (niepopartą wcześniejszym zbadaniem tematu) na każdy możliwy temat. Dzięki takim ludziom, Gentoo z pewnością stanie się lepsze, bo rzecz jasna, devowie nie potrzebują w tej chwili niczego …

@mgorny@social.treehouse.systems
2024-05-30 19:25:58

New on my blog: The dead weight of packages in #Gentoo
"""
You’ve probably noticed it already: Gentoo developers are overwhelmed. There is a lot of unresolved bugs. There is a lot of unmaintained packages. There is a lot of open pull requests. This is all true, but it’s all part of a larger problem, and a problem that doesn’t affect Gentoo alone.
It’s a problem that any major project is going to face sooner or later, and especially a project that’s almost entirely relying on volunteer work. It’s a problem of bitrot, of different focus, of energy deficit. And it is a very hard problem to solve.
"""
blogs.gentoo.org/mgorny/2024/0

@mgorny@social.treehouse.systems
2024-05-12 13:11:12

These is one of these days when it occurs to you: "hey, packages using #Python and #RustLang, may have *both* Python and Cargo-level tests." And then you spend a lot of time going over all Rust-enabled dev-python/* packages and adding `cargo_src_test` where appropriate.
As it turns out, many of them did. Most of these don't actually link to libpython, so I suppose it's fine to test them once. Pydantic-core does, so I test per-impl (but also can't test on PyPy). Cryptography has Rust-level tests that don't even build (they fail at linking).
#Gentoo

@mgorny@social.treehouse.systems
2024-05-12 16:45:48

How about tests that fail in a completely nondescript way if your hostname is 12 characters long? I mean, the bash prompt gets into output and breaks matching in one environment, and doesn't in an environment with a shorter hostname.
As it turns out, it was caused by putting a wrong path to bashrc override while adding zsh support to #ArgComplete. I guess most people didn't get a long enough bash prompt to hit the failure.
#Gentoo #Python

@mgorny@pol.social
2024-05-11 07:07:18

👎 stracić przydatne jednolinijkowce po utracie danych, bez backupu
👍 stracić przydatne jednolinijkowce, bo polegało się na tym, że są sobie w `~/.bash_history`, a #bash właśnie wywalił historię
#Gentoo

@mgorny@pol.social
2024-04-19 18:48:42

#PEP517 udostępnia ujednolicony interfejs dla wszystkich systemów budowania paczek w Pythonie; tak, by ludzie nie musieli implementować odrębnego kodu dla obsługi każdego z nich.
Właśnie dlatego #Gentoo dla obsługi Pythona ma już specjalną logikę i haki dla 5 różnych systemów budowania opartych o PEP517. …

@mgorny@social.treehouse.systems
2024-04-08 15:29:43

Juicy sarcasm
Nothing brings me more joy than having another prolific contributor on #Gentoo mailing lists. Yes, the kind who contributes no actual code, but must express their uneducated opinion on absolutely everything. Thanks to these people Gentoo will surely grow better, because obviously all that developers need is another ton of walls-of-text-with-no-content mails to power their burnout.

@mgorny@pol.social
2024-06-10 02:54:11

Problem z kończeniem porannych przygotowań wcześnie jest taki, że zostaje ci trochę wolnego czasu. Naturalnie więc zaczynasz robić coś dodatkowego przy #Gentoo. Oczywiście, zajmuje to więcej czasu niż się spodziewałeś, więc koniec końców, biegniesz na pociąg.
Czasem jednak z dumą możesz stwierdzić, że skończyłeś dodatkową robotę idealnie w czas. Wówczas odkrywasz, że nastąpiła "korekta&quot…

@mgorny@social.treehouse.systems
2024-06-12 10:09:19

Previous Linux kernel batch was released on 2024-05-30. After bumping them, I've discovered that Docker is broken on bogsucker, our PPC64LE builder. In the meantime, bogsucker died completely.
Today, we've gotten it back online. I've debugged the Docker issue and solved it (admittedly, I should have tried upgrading it to the very newest ~arch version before debugging). Just as I was finishing building new images for reproducible kernel builds, new kernels were released upstream.
That was close.
#Gentoo

@mgorny@pol.social
2024-05-09 05:41:48

Wczoraj dodałem Pythona 3.13.0b1 do #Gentoo, razem ze wsparciem na poziomie eclass oraz pierwszą partią portów (z PyTestem włącznie).
Na razie tylko dla amd64, bo musimy przetestować mpdecimal.
#Python

@mgorny@social.treehouse.systems
2024-04-22 18:07:40

#Gentoo Infra: unable to get even the most trivial hosting for developer-made distfiles, first requested in 2007.
bugs.gentoo.org/176186
Also Gentoo Infra: putting a lot of effort to find, archive and mirror historical upstream distfiles.
bugs.gentoo.org/834712
I mean, Gentoo developers are using hacky solutions right now, and are irrevocably discarding old, custom-made distfiles, because of limited space on the disk used to host them. Wouldn't it make more sense to stop this from happening first?

@mgorny@social.treehouse.systems
2024-04-22 18:07:40

#Gentoo Infra: unable to get even the most trivial hosting for developer-made distfiles, first requested in 2007.
bugs.gentoo.org/176186
Also Gentoo Infra: putting a lot of effort to find, archive and mirror historical upstream distfiles.
bugs.gentoo.org/834712
I mean, Gentoo developers are using hacky solutions right now, and are irrevocably discarding old, custom-made distfiles, because of limited space on the disk used to host them. Wouldn't it make more sense to stop this from happening first?

@mgorny@social.treehouse.systems
2024-05-11 07:07:17

👎 losing useful snippets because of data loss and no backups
👍 losing useful snippets because you relied on keeping them in `~/.bash_history` and #bash wiped that file
#Gentoo

@mgorny@social.treehouse.systems
2024-04-16 06:24:49

#Setuptools finally implemented #PEP625, and I've hit the first setuptools-produced sdist following the new scheme today (it was cfn-lint, if you're curious).
For #Gentoo, this means that we may be finally able to remove the `PYPI_NO_NORMALIZE` hack one day.
#PyPI #Python

@mgorny@pol.social
2024-05-07 12:28:22

Najnowsze wersje Django podpisane były przez nową osobę, więc musiałem zaktualizować paczkę kluczy, których #Gentoo używa do weryfikacji archiwów. Paczka ta pobiera klucze #PGP z różnych źródeł, a potem łączy je w jeden plik. Lecz dzisiaj po prostu nie mogłem doprowadzić nowego klucza do działania! A konkretnie rz…

@mgorny@pol.social
2024-05-07 12:28:22

Najnowsze wersje Django podpisane były przez nową osobę, więc musiałem zaktualizować paczkę kluczy, których #Gentoo używa do weryfikacji archiwów. Paczka ta pobiera klucze #PGP z różnych źródeł, a potem łączy je w jeden plik. Lecz dzisiaj po prostu nie mogłem doprowadzić nowego klucza do działania! A konkretnie rz…

@mgorny@social.treehouse.systems
2024-06-10 02:42:25

The problem with finishing with your morning routine early is that you end up with spare time. So you can start doing more #Gentoo stuff. More stuff ends up using more time than expected, and you end up running to catch the train.
Of course, sometimes you finish "more stuff" just in time, and you're really proud of yourself. Then you discover that there's been a train timetable "adjustment" (and that only because you were checking if it wasn't delayed) and you end up having to run anyway. And then check if your 3-change connection and 2-change return journey still exists.

@mgorny@social.treehouse.systems
2024-04-26 01:54:19

Today's headlines: a #Gentoo developer @… last rites Windows, admitting it's "very old" and "failing to compile with modern GNU Emacs". Poor job, Microsoft.
mail-archive.com/gentoo-dev@li

@mgorny@social.treehouse.systems
2024-05-09 05:39:34

I've added #Python 3.13.0b1 to #Gentoo yesterday, along with the initial eclass support and a few baseline ports (up to PyTest).
It's amd64-only for the time being, since we need to keyword mpdecimal.

@mgorny@pol.social
2024-06-04 15:48:22

Zajęło mi to prawie 3 godziny, ale #PipX 1.6.0 wylądował w #Gentoo, z nową wersją podrobionych danych testowych, które zajmują tylko 70 KiB (autorzy używają ~160 MiB paczek, dla każdej implementacji z osobna).
Co istotniejsze, tym razem nie stworzyłem tego na kolanie, ale napisałem porządny skrypt z instruk…

@mgorny@social.treehouse.systems
2024-04-08 16:21:15

Did you notice that the word "backslashes" includes "lashes"? That's precisely how I feel about people using unnecessary backslashes all over the place in #Python or #Bash code.
#Gentoo

@mgorny@social.treehouse.systems
2024-05-08 16:02:02

> No bug has been reported in over 10 years despite heavy usage in Python and PHP.
(from #Gentoo

@mgorny@pol.social
2024-04-03 14:43:38

Jeżeli używacie #Wine na #Gentoo, możecie rozważyć instalację:
- app-emulation/dxvk dla D3D 9 – 11 przez Vulkana
- app-emulation/vkd3d-proton dla D3D 12 przez Vulkana
Można je też instalować przez WineTricks, ale użycie systemowych paczek ułatwia aktualizację i ewentualne odinstalowanie.

@mgorny@social.treehouse.systems
2024-06-07 19:14:36

A short history of my attitude towards swap memory.
Stage 1: I don't have enough RAM, so I have to use swap.
Stage 2: I have enough RAM now for usual tasks now. I sometimes hit swapping, and the kernel handles it badly, so I'd rather have it kill stuff instead. I remove swap.
Stage 3: I discover that kernel handles OOM without swap even worse. I start using swap again.
#Gentoo #Linux

@mgorny@social.treehouse.systems
2024-05-07 14:53:49

Followup on `tokio-tar`. As expected, nothing happened so far.
Apparently there is also a `tokio-tar-up2date` crate which is exactly the same thing as `tokio-tar` right now. Probably it was created as a temporary hack while `tokio-tar` was unresponsive.
Then, there is a `krata-tokio-tar` crate that's more recent. However, this one really seems like fork of a fork that was created for the same of some specific project and still without any hope of long-term maintenance. I've refiled my pull request there as well.
I've also filed a bug for #UV, since using dead dependencies is not a good practice.
#RustLang #Gentoo
crates.io/search?q=tokio-tar
github.com/edera-dev/tokio-tar
github.com/astral-sh/uv/issues

@mgorny@pol.social
2024-04-02 19:50:59

Po tym, jak udało mi się rozwiązać problem z ichnim sandboksem, udało mi się uruchomić Firefoksa, zbudowanego ze źródeł, z załączonym wsparciem #JPEGXL. Niestety, wygląda na to, że jest niekompletne.
#Gentoo #Mozilla

Zrzut ekranu strony testowej JPEG XL w Firefoksie, porównującej wyświetlanie obrazów JPEG XL z innymi formatami. Obrazki to:

1. Fotografia jakichś wypasionych krzeseł. Wyglądają tak samo we wszystkich formatach.

2. Obraz kości na przezroczystym tle. W formacie JPEG XL widać jakąś dziwną smugę poniżej kości, podczas gdy tło powinno być tam przezroczyste.

3. Czerwony kwadrat, na którym "blade logo WebKita" ma być widoczne, ale widać je tylko w formacie JPEG XL.

4. Animowany wielościan. W form…
@mgorny@social.treehouse.systems
2024-06-07 16:09:54

In the past, many NumPy-based projects built their wheels against `oldest-supported-numpy` package to ensure the best ABI compatibility between multiple #NumPy versions.
Then NumPy 2 came and reversed that — now you need to build against NumPy 2 rather than 1.x, to gain ABI compatibility with both versions.
That said, if you want to maintain support for #Python 3.8, then you have to hack even more:
#Gentoo

@mgorny@social.treehouse.systems
2024-06-07 01:46:36

You know your bug report and patch made an impact when upstream adds to their instructions:
> - Please only make changes or add data to locales you're familiar with.
#Gentoo

@mgorny@social.treehouse.systems
2024-06-06 15:31:54

For a project that's supposed to avoid the vices of C, #CPython sure crashes a lot.
This time I was bisecting a regression in 3.13.0b2 that causes the interpreter crash when `freezegun` is imported. And no, not because freezegun was doing something hacky. Just some crazy internal extension state thingy.
#Gentoo #Python

@mgorny@social.treehouse.systems
2024-05-22 07:15:06

#RustLang / Cargo support in #Gentoo has received a lot of optimizations over time.
Does that sound like a good thing? I'm afraid it isn't: it's just saying how *bad* the ecosystem is, that we have to keep adding hacks to make it even remotely usable.
For a start, we immediately gave up on packaging the dependencies separately. After all, we're talking about a humongous effort, creating thousands of Gentoo packages whose only purpose would be delivering sources that would be only linked statically into executables. Lot of effort, lot of space waste, no gain. Instead, every Rust package carries a huge list of crates it needs, and a humongous Manifest listing yet another set of copies of checksums for these crates.
We are strongly relying on mirroring crates on Gentoo mirror infrastructure. Why? Because crates.io is uselessly slow. On top of that, Portage normally does fetching in series, so grabbing hundreds of crates takes half an eternity. In fact, I've even made #PyCargoEbuild use aria2 to fetch new crates from crates.io in parallel to work around this.
I have recently added a hack to unpack crates in parallel, because even unpacking all of them is awfully slow. Ironically, the crates that seem to take most of the time to unpack are these responsible for Windows support.
PyCargoEbuild also has a function to repack all dependent crates into a single tarball that we redistribute. Why? Because some packages have so many dependencies that listing them all makes ebuilds and their Manifests humongous. For every package like that, *all* Gentoo users suffer a significant growth in repository size, even if they are never going to use the package in question. So instead of listing and fetching crates, we fetch a ready-made crate tarball. Which is also much smaller than all crates combined, and therefore faster to fetch and unpack (though I haven't compared this to parallel unpacking).
Oh, perhaps I should have mentioned first that Cargo is one of the few ecosystems that simply cannot be packaged without creating dedicated tools to prepare and update the ebuilds.
But yeah, Rust is awesome.

@mgorny@social.treehouse.systems
2024-06-04 15:46:57

It took me almost 3 hours but #PipX 1.6.0 is now in #Gentoo, with an updated test shim that makes it possible to test using fake wheels and is only 70 KiB (vs. upstream that uses ~160 MiB for every single implementation).
What's more important, this time it isn't a handmade proof-of-concept anymore but a proper script with instructions that can be used to easily deal with future releases.
#Python

@mgorny@pol.social
2024-03-29 06:02:35

Nie mogę wrzucić nowej Tuby, bo nie mamy jeszcze nowego GTK. Nie mogę wrzucić Fractala, bo nie mamy nowej Adwaity. Nie mogę wrzucić UV, bo nowy Rust czeka w kolejce do przeglądu.
Kiedy #Gentoo zmieniło się w Debiana?

@mgorny@social.treehouse.systems
2024-04-06 06:38:29

Honestly, the worst effect of the xz/sshd exploit is the evaporation of trust in #OpenSource.
There's this new prolific contributor. I haven't looked in great detail, but they're seemingly doing great work. All pull requests are nicely annotated as to ease review. Really, everything you could wish for. But what if it's a bad actor trying to quickly build trust?
Then this contributor kindly pings assignee a week after filing the PR. Well, nothing wrong with that. It makes sense. But then, what if it's a bad actor trying to pressure maintainers?
Or perhaps it's just a great, well-organized #Gentoo contributor.

@mgorny@social.treehouse.systems
2024-04-03 14:43:37

If you're using #Wine on #Gentoo, you may consider installing:
- app-emulation/dxvk for D3D 9 through 11 through Vulkan
- app-emulation/vkd3d-proton for D3D 12 through Vulkan
While they can also be installed via WineTricks, installing them via system packages makes it easier to update or uninstall them.

@mgorny@social.treehouse.systems
2024-06-05 04:33:07

What I could do instead of making breakfast?
I could be fixing Polish city names in the Python #Faker package. Apparently they've used the data from #latitude.io. The website aggregates data from random sources and it is full of errors: districts of Warsaw are listed as separate cities, some city names are randomly missing diacritics (and I'm not talking about being written entirely without diacritics — say, they have "Białołeka" instead of "Białołęka").
Yep, that's the kind of thing #Gentoo devs do in the morning.
github.com/joke2k/faker/pull/2
latitude.to/map/pl/poland/citi

@mgorny@pol.social
2024-05-22 07:29:37

Wsparcie Rusta / Cargo w #Gentoo otrzymało wiele optymalizacji.
Brzmi to jak coś dobrego, prawda? To nie to — Cargo jest tak *beznadziejne*, że musimy ciągle dodawać jakieś obejścia, żeby dało się go w ogóle używać.
Na początek, od razu zrezygnowaliśmy z tworzenia odrębnych paczek dla zależności. Wszak mówimy o tworzeniu tysięcy paczek, których jedyną funkcją byłoby instalowanie źródeł, kt…

@mgorny@social.treehouse.systems
2024-04-12 14:42:05

#Snappy once again broke ABI without changing SOVERSION, and trashed reverse dependencies.
Hey, what did you expect from a project that is "focused on maintaining a build configuration that allows us to test that the project works in a few supported configurations inside #Google"?
#Gentoo #OpenSource

@mgorny@pol.social
2024-05-19 18:36:20

Istniało ryzyko, że odszedłbym z #Gentoo przed lipcem, ale kryzys zażegnany.
W końcu wziąłem się i przedłużyłem moje klucze OpenPGP.

@mgorny@pol.social
2024-03-22 19:03:58

Cytując siebie (i tłumacząc):
"""
Szczerze mówiąc, uważam, że największym problemem jest to, że dystrybucja oprogramowania w Pythonie jest nieskończenie skomplikowana i nieintuicyjna, co oznacza, że każda osoba, która chce się tym zająć z którejkolwiek strony, ku swojemu zaskoczeniu odkryje bardzo wysoki próg wejścia. #Gentoo

@mgorny@social.treehouse.systems
2024-04-14 07:21:20

One more thing about the xz/sshd backdoor, and the earlier sale of "Simple Mobile Tools".
A long time ago, I've been told an important rule of #security in IT: when threatened with violence, yield. The life and health of you and your family is more important than any #OpenSource project you may be working on. A lot of people will blame you, but the ones who matter will understand.
But what if it's the carrot and not the stick that you're getting? What if you're being offered money to "betray" your project? Should you resist, or can you yield?
Then, isn't there a stick to be expected at the other end? Won't it come upon you if you rejected the carrot? Isn't money merely the "civilized" way of washing your hands from the implied threat of violence?
Even more, what if you really need that money? What if you barely make ends meet, and rejecting the carrot becomes a stick in itself?
Well, I'm not saying that it's likely that I'll ever be in that situation with #Gentoo (as in having money offered; having no income I know too well), but I really wouldn't know what to do. And I'd understand anyone who accepted that money.
The bottom line is: if people treat #FreeSoftware developers as a free exploitable workforce, people shouldn't be surprised when the projects they rely on are sold or backdoored.

@mgorny@social.treehouse.systems
2024-03-29 17:49:49

You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
lzip is not affected.
openwall.com/lists/oss-securit

@mgorny@social.treehouse.systems
2024-03-29 17:49:49

You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
lzip is not affected.
openwall.com/lists/oss-securit

@mgorny@social.treehouse.systems
2024-06-01 09:54:28

In branched projects like #CPython, you bisect in two directions. You bisect backwards to determine which commit broke CPython 3.12. You bisect forward to determine which commit fixed the issue on main (I use old/new terms there to avoid confusion).
#git #Gentoo

@mgorny@social.treehouse.systems
2024-03-29 14:59:54

Small good news today: I've finally removed #nose (and its last reverse dependencies) from #Gentoo today.
#Python

@mgorny@social.treehouse.systems
2024-05-29 04:39:06

Key goals for various Linux distributions:
Debian: Free Software purity
Red Hat: stability
Arch: bleeding edge
#Gentoo: avoiding having to install which(1) at all cost

@mgorny@social.treehouse.systems
2024-03-30 15:38:06

Sigh. A certain thread on a certain mailing list makes me want to make another pessimistic point wrt the xz/sshd hassle.
What ain't going to happen? Long-term increase of donations and support to #OpenSource developers. And by "developers", I mean actual people who need to buy food and pay the bills, not "projects".
What is definitely already happening? Blaming, bright ideas and demands for the developers already suffering from burnout.
#Gentoo

@mgorny@social.treehouse.systems
2024-03-30 16:57:51

What I imagined would happen: I enable #DistCC on my weak laptop, it will pour compilation jobs on my Ryzen PC like crazy, keeping all 12 threads on boost 100% busy and finish webkit-gtk in no time.
What actually happened: the 4 laptop cores are 100% busy preprocessing and can't keep up delivering jobs to the Ryzen, and it is eating through them so fast it's barely busy.
Well, at least preprocessing doesn't take as much memory as the compiler, so things are actually progressing rather than getting stuck on swapping.
#Gentoo

@mgorny@social.treehouse.systems
2024-03-29 06:00:49

I can't bump Tuba, because we don't have new GTK yet. I can't bump Fractal, because we don't have new Adwaita. I can't bump UV, because we don't have new Rust (there's a PR open).
When did #Gentoo turn into a Debian?

@mgorny@social.treehouse.systems
2024-04-02 15:35:40

Recently I've added a cheap hack to the standard #Gentoo invocation for #PyTest to throw errors if unhandled async functions are detected. The goal was to increase our chances of finding packages with missing dependency on dev-python/pytest-asyncio (or another equivalent plugin), or packages disabling plugin autoloading and failing to load such a plugin.
Today, I've gotten a first bug report, regarding dev-python/ipython. I've grepped the sources and confirmed that the package depends on PyTest-AsyncIO, except that it pins to < 0.22. Well, we don't have one that old but let's hope it works anyway. So I've tried adding the dep, `-p asyncio`… and PyTest still apparently couldn't find the plugin. I've scratched my head and tried `PYTEST_PLUGINS` instead — still the same result. What the…?
So I've checked the git repository out, tried with older PyTest-AsyncIO, and indeed the tests worked. Tried with the newest, 0.23.6, and the same issue occurred. I've checked the git history and discovered that the version pin was added because of a buggy 0.22.0 release. However, the issue has been fixed since, the release was yanked and my problem was nothing like that.
So I've investigated more. For some reason, #IPython test suite does not mark tests with `pytest.mark.asyncio` marker directly. Instead, it globally iterates over all test functions, and implicitly adds the marker to all coroutines. This used to work with older versions, but does not work anymore — the test is correctly marked, but for some reason it stops being recognized as a coroutine. So I've made a minimal reproducer and filed a bug.
The key point here is: the (potential) bug went unnoticed for a while now, because of the premature, then obsolete pin in IPython.
#Python

@mgorny@social.treehouse.systems
2024-04-25 14:54:23

Essentially, distro developers are firefighters, putting out fires made by careless upstreams.
What I've wasted time on, today:
- making the non-standalone test suite of #Hatchling (sigh) work without #UV again, so that a critical build dependency of a growing number of #Python packages could be tested everywhere
#PassLib not to break random stuff via printing warnings when using newer #BCrypt versions
#ImageIO work using an offline copy of test data, rather than cloning its git repository at the beginning of tests
#Gentoo

@mgorny@social.treehouse.systems
2024-03-23 14:54:33

Testing #LLVM snapshots for #Gentoo be like:
1. You build and test LLVM. It turns out that Clang fails at CMake time. Regression was introduced by a corporate employee on Friday, with no review and only a link to the internal Apple bug tracker. You submit a patch.
github.com/llvm/llvm-project/p
2. You go back a day, just before the breaking change, and start over. You build and test all LLVM components, only to discover at the very last package that OpenMP was broken, roughly an hour earlier. You submit a patch.
github.com/llvm/llvm-project/p
3. You go back prior to that commit, and start over. Fortunately, CCache saves you from rebuilding everything from scratch. Still, many hours of testing are ahead of you. You really hope for no more regressions…

@mgorny@social.treehouse.systems
2024-05-25 15:42:36

Do I see correctly that #Docker #BuildKit immediately discards the filesystem of all failed image builds, making it completely impossible to debug them? And in order to get anything useful you have to explicitly disable BuildKit, and that's going to be "removed in a future release", effectively making this crap impossible to debug?
#Gentoo

@mgorny@social.treehouse.systems
2024-04-25 15:54:46

New #RustLang projects are popping up all over the place. Many of them quickly reach feature parity with their non-Rust predecessors, then beat them both in functionality and performance. Seeing all this, it's hard not to think of Rust as a language that makes rapid development and deployment possible, and that outperforms other programming languages.
While I won't argue that Rust has its advantages, that's not the real reason here. In my opinion, it's all about its popularity. All the cool kids use Rust nowadays, and cool kids are precisely the kind of people who have time and energy to develop stuff rapidly. Add to that corporations investing in the next boom, and delivering a full-time paid workforce and funding, the culture of code reuse (i.e. sharing lots of crates), and last but not least, the benefit of starting from scratch.
Old folk like us, who barely manage enough energy to keep things alive, can't compete with that. However, we have one advantage. We don't care about being cool anymore. We aren't going to pack our bags and run after the next shiny thing, whenever the next best thing since sliced bread gets invented.
#Gentoo #OpenSource

@mgorny@social.treehouse.systems
2024-05-19 18:36:21

There was a risk that I'd be leaving #Gentoo before July, but the crisis was averted.
I've finally gotten around to renew my OpenPGP keys.

@mgorny@social.treehouse.systems
2024-05-18 17:51:32

One more thing about porting #Gentoo packages to a new #Python version is that every time you discover how many *new* packages are now abandoned and broken. However, the rate at which packages are abandoned is not what's most the most terrifying thing — it's how many other packages still use these packages, years after the last commit, years after distro developers had to start patching them to have them work at all.
I'm talking of clint (2015), I'm talking of passlib (2020, though author reappeared recently), WebOb (2021), Genshi (2022). I'm talking of Bottle whose author doesn't seem to be able to accept `cgi` removal from stdlib. I'm talking of Aesara that used to be a fork of Theano, and that apparently has been forked again. I'm talking of HttpBin that was abandoned in 2018, then revived by PSF, but it's far from being well-maintained right now.
The world has moved on, apparently.

@mgorny@social.treehouse.systems
2024-03-23 16:53:02

Honestly, I find the decision in #Wine 9.0 to force #HidRaw by default for specific gamepads a very bad one. Apparently, it was done because these devices use "a proprietary HID protocol", and so they full functionality cannot be exposed via XInput. Well, okay. Except that there are two problems.
Firstly, using them via HidRaw requires special device permissions. In #Gentoo, this means installing games-util/game-device-udev-rules. If you don't do that, the controllers simply don't appear at all, and you don't know why. You have to look for answers. Even if you do, I have some doubts about giving extra permissions to stuff.
Secondly, it requires all software to support these gamepads explicitly. I mean, I've tried this with DualShock 4 in two games. In "Saints Row V", the gamepad work but the Y axis would be reversed for no apparent reason. In "A Plague Tale", the gamepad wouldn't be detected at all.
I prefer a gamepad that works over theoretical support for some fancy hidden features. So it's back to XInput for me:
wine reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winebus" /v "DisableHidraw" /t REG_DWORD /d 1
bugs.winehq.org/show_bug.cgi?i

@mgorny@social.treehouse.systems
2024-04-23 05:10:59

As we all know, one of the primary purposes for #RustLang rewrites is improving security. And there is no better way to make your code secure than by not including it at all.
#Python #Gentoo

@mgorny@social.treehouse.systems
2024-04-23 05:10:59

As we all know, one of the primary purposes for #RustLang rewrites is improving security. And there is no better way to make your code secure than by not including it at all.
#Python #Gentoo

@mgorny@social.treehouse.systems
2024-05-18 16:19:06

Technically, a large part of what amounts to #Gentoo #Python 3.13 porting could be automated. In fact, we already have most of the pieces — tooling to find next candidates, update PYTHON_COMPAT, run tests. Why do I do it semi-manually then?
Well, for a start it gives me an opportunity to look into the ebuilds. Look for old issues, improve code, sometimes discover we ought to have removed something a long time ago. At the same time, looking at build logs also sometimes makes me notice incorrectly working tests (particularly, tests not failing correctly on failure).
Not to mention it gives me a bit of purpose when the damn fever prevents me from doing anything requiring more focus.

@mgorny@social.treehouse.systems
2024-05-24 08:28:06

Things random software companies would happily pay for: sending random #OpenSource developers to pointless conferences. Spending absurd amounts of money on travel, accommodations and perhaps even food there.
Things random companies would rather not do: spending a small part of that money to give these developers half a living wage, so they wouldn't have to find other income and/or keep living at the edge of bankruptcy.
After all, even then they will continue doing a good job, for free, for users' sake.
#AntiCapitalism #Gentoo

@mgorny@social.treehouse.systems
2024-05-24 08:28:06

Things random software companies would happily pay for: sending random #OpenSource developers to pointless conferences. Spending absurd amounts of money on travel, accommodations and perhaps even food there.
Things random companies would rather not do: spending a small part of that money to give these developers half a living wage, so they wouldn't have to find other income and/or keep living at the edge of bankruptcy.
After all, even then they will continue doing a good job, for free, for users' sake.
#AntiCapitalism #Gentoo

@mgorny@social.treehouse.systems
2024-06-11 18:14:44

#MiniUPnPC 2.2.8 introduced a breaking API change: the `UPNP_GetValidIGD()` now gets the external IP address and writes it to the newly added arguments (rendering `UPNP_GetExternalIPAddress()` redundant). The return values also shifted in place (sigh).
This made me finally revive #PSHS a bit. I've just pushed 0.4.3 to #Gentoo with a number of important changes: relicensing to GPL-2 and shift of supported MiniUPnPC, OpenSSL and libevent version ranges (the removed 0.4.2 version accidentally broke compatibility with libevent-2.1).
While updating to the #OpenSSL 3 API (to fix deprecation warnings), I've discovered that it made a full circle. First, OpenSSL 1.0 had a simple `RSA_generate_key()` function. Then, for 1.1 I had to replace with it complex, almost "raw" `RSA_generate_key_ex()`. And for 3.0, it's back to even simpler `EVP_RSA_gen()`.
github.com/projg2/pshs/compare

@mgorny@social.treehouse.systems
2024-06-07 15:41:11

Please don't use #Mercurial. It's not well-maintained software.
People like to point out that Mercurial works great for a few BigTech corporations. That's great for them. The side effect is that the development is focused on these corporations, and if you find a bug that doesn't affect them, you better be ready to provide a fix yourself.
#Python 3. The first release with Python 3 was made *two months* before Python 2 went EOL.
#RustLang. Funny thing is, Mercurial with Rust extensions enabled still doesn't work on Python 3.12. Apparently, they've chosen to use some NIH Python/Rust bridge rather than PyO3.
#Gentoo

@mgorny@social.treehouse.systems
2024-05-21 15:09:48

The right attitude towards #Boost (the C library):
1. No activity in the affected project for a year.
2. Boost 1.85.0 comes out and breaks it. Hotfix against new Boost.
3. Remove Boost use entirely 3 days later.
#Mupen64plus #Gentoo

@mgorny@social.treehouse.systems
2024-03-19 19:03:38

Using `--load-average` in MAKEOPTS is fun.
Some build systems (like make and ninja) respect it but always run at least one job. Most of the time this keeps my CPUs nicely saturated without having too many jobs spawned when multiple packages build in parallel. At times, when only a single package is being built, it leads to short periods where a spike in load causes suboptimal CPU utilization but that's not a big deal.
Some tools (like pytest) do not support `--load-average` at all. This means they always run the full set of jobs. As a result, the tools that do respect it end up running just one job for the time. This usually turns out reasonably convenient during my Python bumps since the test suites finish quicker without being slowed down by other package builds.
Some tools (like CTest from CMake) do not spawn any jobs if `--load-average` is exceeded. This is quite confusing at first, because it looks like it just hanged — and I suppose if you may end up having high background load, the test suite may never actually start running.
#Gentoo

@mgorny@social.treehouse.systems
2024-05-11 08:42:44

Just hit my first JIT-related #CPython 3.13 test failure. Curious enough, it doesn't seem that the `gc.collect()` hack works, the way it does for #PyPy.
#Gentoo #Python

@mgorny@social.treehouse.systems
2024-05-10 18:45:57

You know what's great about #Python stable ABI? That you can take a binary package of, say, cryptography, and it will work on CPython 3.13, even though it's been built with older CPython version.
You know what's not so great about #PyO3? That you won't be able to build this package using Python 3.13 because it's going to reject it as "too new". Even if the package in question is only using the stable ABI compatible with CPython 3.9. Sigh.
So, of course, everything on #Gentoo will be blocked, until individual packages update their dependencies to use PyO3 new enough to support 3.13.
#RustLang

@mgorny@social.treehouse.systems
2024-06-10 14:45:26

So I'm bumping a package and the test suite fails with suspicious timestamp-related failures. So I do the obvious thing, and set TZ=UTC. It still fails. I do a quick math, and the timestamp difference looks weird — 8 hours.
I clone the repo to try to reproduce the problem. While that, I check how upstream runs tests and notice a comment:
# system should be in "America/Los_Angeles" timezone for all tests to pass
Well, okay. Then I make a bet that kloczek has already filed a bug about tests passing without actually bothering to try to figure it out. Of course he did:
#Python #Gentoo #PLD

@mgorny@social.treehouse.systems
2024-05-11 06:06:00

Of course, there's a #PEP517 backend for #SCons, one of the most horrible build systems ever made by humankind.
Of course, it managed not to implement PEP517 correctly.
#Gentoo #Python

@mgorny@social.treehouse.systems
2024-06-09 03:19:38

Does #setuptools maintainer think it is a good idea to use setuptools as a #PEP517 build system?
Yep, he probably does. And to prove it, he installs `docs` straight into `site-packages`.
#Gentoo #Python

@mgorny@social.treehouse.systems
2024-05-07 13:10:02

The most recent #Django releases, 5.0.5 and 4.2.12 are broken. Most likely they were done on #Windows, and that obviously is sufficient to break stuff.
[UPDATE: 5.0.6 and 4.2.13 are good. Thanks a lot!]
So far, we've noticed the following issues:
1. The directory is named lowercase `django-X.Y.Z` instead of capital-case `Django-X.Y.Z` (the filename remains capital-case).
2. All files have CRLF line endings instead of LF.
3. All files that should have the executable bit, have lost it.
As a result, the releases don't pass their own tests.
I hope to report this upstream, but their Trac is down now. So you can't even download the releases right now.
#Gentoo #Python

@mgorny@social.treehouse.systems
2024-04-05 15:36:30

After getting yet another bug report about #Python package (this time #VirtualEnv) failing to build, because the user did not have new enough #TroveClassifiers installed, I've filed a bug asking #Hatchling to make trove classifier validation either optional or non-fatal.
Right now this simply is not feasible. Technically, every package would need to specify a *minimal* `trove-classifiers` package dependency based on the classifiers they used, and we would have to keep these versions in every #Gentoo ebuild. However, that's unlikely to ever happen, so we'd actually have to check all listed trove classifiers and map them back to package versions. Or, more realistically, just always depend on the newest trove-classifiers available and hope we don't forget to update the dependency.
#PEP517 #packaging

@mgorny@social.treehouse.systems
2024-05-18 06:53:52

Well, we know that some upstreams are hostile to downstream testing.
However, how about they actually encrypt tests, so that only their CI can run them?
#Gentoo #Python