[[ -n ${QA_STRICT_EXECSTACK} ]] && QA_EXECSTACK=""
qa_var="QA_WX_LOAD_${ARCH}"
[[ -n ${!qa_var} ]] && QA_WX_LOAD=${!qa_var}
- [[ -n ${QA_STRICT_EXECSTACK} ]] && QA_WX_LOAD=""
+ [[ -n ${QA_STRICT_WX_LOAD} ]] && QA_WX_LOAD=""
export QA_EXECSTACK QA_WX_LOAD
f=$(scanelf -qyRF '"%e %p"' "${D}" | grep -v 'usr/lib/debug/')
;;
For example, blackdown-jdk and sun-jdk provide \fIvirtual/jdk\fR. This
allows for packages to depend on \fIvirtual/jdk\fR rather than on blackdown
or sun specifically.
+.SH "QA CONTROL VARIABLES"
+.TP
+.B USAGE NOTES
+Several QA variables are provided which allow an ebuild to manipulate some
+of the QA checks performed by portage. Use of these variables in ebuilds
+should be kept to an absolute minimum otherwise they defeat the purpose
+of the QA checks, and their use is subject to agreement of the QA team.
+They are primarily intended for use by ebuilds that install closed-source
+binary objects that cannot be altered.
+.br
+Note that objects that violate these rules may fail on some architectures.
+.TP
+\fBQA_TEXTRELS\fR
+This variable can be set to a list of file paths, relative to the image
+directory, of files that contain text relocations that cannot be eliminated.
+The paths may contain regular expressions.
+.br
+This variable is intended to be used on closed-source binary objects that
+cannot be altered.
+.TP
+\fBQA_EXECSTACK\fR
+This should contain a list of file paths, relative to the image directory, of
+objects that require executable stack in order to run.
+The paths may contain regular expressions.
+.br
+This variable is intended to be used on objects that truly need executable
+stack (i.e. not those marked to need it which in fact do not).
+.TP
+\fBQA_WX_LOAD\fR
+This should contain a list of file paths, relative to the image directory, of
+files that contain writable and executable segments. These are rare.
+The paths may contain regular expressions.
.SH "PORTAGE DECLARATIONS"
.TP
.B inherit
Have portage react strongly to conditions that have the potential to be
dangerous (like missing or incorrect Manifests).
.TP
+.B stricter
+Have portage react strongly to conditions that may conflict with system
+security provisions (for example textrels, executable stack). Read about
+the \fIQA_STRICT_*\fR variables in \fBmake.conf\fR(5).
+.TP
.B suidctl
Before merging packages to the live filesystem, automatically strip setuid
bits from any file that is not listed in \fI/etc/portage/suidctl.conf\fR.
have been partially downloaded. It should be defined using the same format
as \fBFETCHCOMMAND\fR.
.TP
+\fBQA_STRICT_EXECSTACK = \fI"set"\fR
+Set this to cause portage to ignore any \fIQA_EXECSTACK\fR override
+settings from ebuilds. See also \fBebuild\fR(5).
+.TP
+\fBQA_STRICT_WX_LOAD = \fI"set"\fR
+Set this to cause portage to ignore any \fIQA_WX_LOAD\fR override
+settings from ebuilds. See also \fBebuild\fR(5).
+.TP
+\fBQA_STRICT_TEXTRELS = \fI"set"\fR
+Set this to cause portage to ignore any \fIQA_TEXTREL\fR override
+settings from ebuilds. See also \fBebuild\fR(5).
+.TP
\fBROOT\fR = \fI[path]\fR
Use \fBROOT\fR to specify the target root filesystem to be used for merging
packages or ebuilds. All \fBRDEPEND\fR and \fBPDEPEND\fR will be installed
projects / portage.git / commitdiff