Search Portage & Overlays:

Gentoo Repository News

xorg-server dropping default suid - 24/06/2020 00:00 GMT

Starting 2020-07-15, stable keyworded x11-base/xorg-server will default
to using the logind interface instead of suid by default. resulting in
better security by default through running the server as a regular user
instead of root. However, this will require our users to use a logind
provider such as elogind or systemd. The systemd users and those who are
not using systemd but use desktop profiles can stop reading here, as
they already have a logind provider enabled.

Others, who have neither systemd or desktop profiles enabled will be
required to globally enable 'elogind' USE flag and update the system

    # emerge --newuse @world

Afterwards, one will need to re-login, so the PAM can assign a seat. One
can confirm that a seat has been assigned upon login by running:

    $ loginctl user-status

Users who do not wish to use logind interface or have rare hardware that
does not use KMS and because of that, require root privileges to
operate, can manually re-enable 'suid' and disable 'elogind' USE flags
in order to preserve the previous behavior. However, please note that
this is heavily discouraged to run X server as root due to security
reasons. The 'suid' USE flag will remain as optional opt-in for the need
of legacy hardware.

Posted By: Piotr Karbowski

sys-libs/pam-1.4.0 upgrade - 23/06/2020 00:00 GMT

Starting with the 1.4.0 release [1], we don't offer these modules anymore:

* pam_tally and pam_tally2 have been deprecated and replaced
  by the pam_faillock module
* pam_cracklib has been deprecated and replaced
  by the pam_passwdqc module

These changes affected our basic PAM stack configuration.

You only need to take action if:
* you made manual changes to the PAM stack, or
* you use FEATURES="-config-protect-if-modified" option

If this applies to you, please make sure to either run the etc-update or
dispatch-conf command in order to sync your configuration.

Failure to do this may result in your system becoming inaccessible.

[1] -

Posted By: Mikle Kolyada

Potential file collisions during OpenCL upgrade - 22/04/2020 00:00 GMT

OpenCL support in Gentoo is now being migrated to having all implementations
operate through an ICD loader (dev-libs/ocl-icd or dev-libs/opencl-icd-loader)
installed directly into /usr rather than using eselect-opencl to switch
between implementations, with updated loader ebuilds having just been released
to the public. Unfortunately although the upgrade process will automatically
uninstall app-eselect/eselect-opencl, it will not remove the symbolic links to created by this tool in library directories because those links
are not owned by the package in question.

For everyone using the default Gentoo configuration of collision protection
(FEATURES='-collision-protect protect-owned'), this should cause no trouble
because this configuration allows the overwriting of orphaned files.
Obviously, systems with collision protection completely disabled (not
recommended but technically possible) will not be affected either. However,
if your system is configured for full collision protection
(FEATURES=collision-protect), it will be necessary to manually remove those

    rm -i /usr/lib/*

before running the upgrade.

Posted By: Marek Szuba

Python 3.7 to become the default target - 22/04/2020 00:00 GMT

On 2020-05-06 (or later), Python 3.7 will replace Python 3.6 as one
of the default Python targets for Gentoo systems.  The new default
values will be:

    PYTHON_TARGETS="python2_7 python3_7"

If you have not overriden these variables on your system, then your
package manager will switch to the new targets immediately.  In order
to avoid dependency conflicts, please clean stray packages up
and rebuild/upgrade all packages with USE flag changes after the change,

    emerge --depclean
    emerge -1vUD @world
    emerge --depclean

Please note that during the system upgrade some of the package
dependencies may temporarily become missing.  While this should not
affect programs that are already fully loaded, it may cause ImportErrors
when starting Python scripts or loading additional modules (only scripts
running Python 3.6 are affected).

In order to improve stability of the upgrade, you may choose to
temporarily enable both targets, i.e. set in /etc/portage/package.use
or its equivalent:

    */* PYTHON_TARGETS: python3_6 python3_7
    */* PYTHON_SINGLE_TARGET: -* python3_6

This will cause the dependencies to include both Python 3.6 and 3.7
support whenever possible, throughout the next system upgrade.  Once all
packages are updated, you can restart your scripts, remove the setting
and start another upgrade in order to cleanly remove Python 3.6.

There are still some Gentoo packages that do not support Python 3.7.
We will be pushing updates to these packages as time permits.  However,
some of them will probably be removed instead.

If you would like to postpone the switch to Python 3.7, you can copy
the current value of PYTHON_TARGETS and/or PYTHON_SINGLE_TARGET
to /etc/portage/package.use or its equivalent:

    */* PYTHON_TARGETS: -python3_7 python3_6
    */* PYTHON_SINGLE_TARGET: -* python3_6

If you would like to migrate your systems earlier, you can do
the opposite.  Note that if you are running ~arch, you may want to go
straight for Python 3.8 at this point.

Please note that this switch is long overdue.  Python 3.6 is no longer
receiving bug fixes.  Its planned end-of-life is 2021-12-23 but we will
probably remove it earlier than that.  [1]

All above snippets assume using package.use to control USE flags.
If you still have make.conf entries for these targets, you need
to remove them.  While using make.conf is possible, it is strongly
discouraged as it does not respect package defaults.  The latter
can help you keep some of Python 3.6 packages without the need to
explicitly toggle flags per-package.


Posted By: Michał Górny

Desktop profile switching USE default to elogind - 14/04/2020 00:00 GMT

Modern desktop environments make use of PAM session tracking for users, login
sessions and seats. [1] The most user-visible part of that is device and file
permissions management and reboot/shutdown handling without superuser rights.

Users with systemd can stop reading here and continue with their daily

ConsoleKit2 is unmaintained upstream for more than two years [2]. There are
many longstanding bugs and papercuts with consumers that aren't being fixed,
not least because these code paths receive very little testing.

Enter the elogind project [3], which is a standalone logind implementation
based on systemd code, currently maintained by a fellow Gentoo user. We have
had sys-auth/elogind available in Gentoo since the beginning of 2017, and
meanwhile it has gained support [4] in KDE Plasma, Gnome [5], Cinnamon, MATE
and Xfce, as well as most other former consolekit consumers.

Consequently, the desktop profile is switching away from consolekit to
elogind. Users of sys-auth/consolekit who selected a different profile should
consider doing the same. A guide is available [6]. Migration is easy, but any
existing consolekit session will be broken, and elogind will only begin to work
on relogin.

Rely either on the profile, or set USE="elogind -consolekit" in make.conf
yourself. Make sure there is no consolekit debris in /etc/portage/package.use:

# grep -R consolekit /etc/portage/package.use

Rebuild all affected consumers and remove sys-auth/consolekit:

# emerge --ask --changed-use --deep @world
# emerge --depclean consolekit

Optional, but recommended in case of trouble such as missing reboot/shutdown
capabilities in the display manager:

# rc-update add elogind boot

For users of ~/.xinitrc instead of one of the supported DMs, do not forget to
update accordingly (ck-launch-session is gone without replacement).

PS: Subsequently, this will lead to the last-riting of sys-power/pm-utils [7]
which is dead even longer than the original ConsoleKit(1) project. KDE Plasma
users sticking with sys-auth/consolekit are then going to lose suspend from
GUI without superuser rights.


Posted By: Andreas Sturmlechner

new ppc64le (little-endian) profiles - 04/04/2020 00:00 GMT

A new set of 17.0 ppc64le profiles has been added to the Gentoo repository.
New profiles are compatible with existing ppc64 little-endian profiles,
and no additional action required after switching the profile.

Please migrate away from the old profiles:

* Old profiles:

* Replaced by:

Desktop profiles are now also available.

Refer to `eselect profile list` output.

Posted By: Georgy Yakovlev

Deprecation of legacy X11 input drivers - 03/04/2020 00:00 GMT

The Gentoo X11 Team is announcing the deprecation and future removal of
the legacy X11 input drivers x11-drivers/xf86-input-mouse and
x11-drivers/xf86-input-keyboard. As of 2020-05-01 those input drivers
will be masked for removal.

These drivers have been deprecated for many years, first by
xf86-input-evdev and then by xf86-input-libinput.

The only use for those drivers remain in deployments which intentionally
opt-out of using udev, as both evdev and libinput require udev during
runtime, however given that upstream has already removed the Linux
support from xf86-input-keyboard, future X11 releases will no longer
support xf86-input-keyboard on Linux rendering those installation
infeasible to use without udev.

In order to ensure frictionless upgrade path for future X11 releases, we
have decided to deprecate those drivers that are not in active use by
pretty much any installation of Gentoo.

No action is required from end-users who are already using libinput (or
evdev). To check which driver is in use, one can use

    $ grep 'Using input driver' ~/.local/share/xorg/Xorg.0.log

for the systems running xorg-server as regular user (-suid
+elogind/+systemd) or by running

    # grep 'Using input driver' /var/log/Xorg.0.log

for those running xorg-server as root.

If however neither libinput or evdev is in use, one should append
'libinput' to the INPUT_DEVICES variable inside /etc/portage/make.conf
while removing 'keyboard' and 'mouse' if present, then update @world
with new USE flags

    # emerge -N @world

Posted By: Piotr Karbowski

K8s Moving to a Single Package - 03/04/2020 00:00 GMT

Formerly, we packaged kubernetes as seven separate packages:

sys-cluster/kubeadm, sys-cluster/kube-apiserver,
sys-cluster/kube-controller-manager, sys-cluster/kubectl,
sys-cluster/kubelet, sys-cluster/kube-proxy and

Starting with kubernetes 1.18.0, 1.17.5 and 1.16.9, these will be merged
into one package, sys-cluster/kubernetes. The components of this package
which are build and installed will be selectable by use flags.

If you are using 1.16.x or 1.17.x and would like to migrate to the
single package without upgrading, I have also made 1.16.8 and 1.17.4
available in this new package.

Currently, everything is built and installed by default; however, I am
open to changing this if there is a better way to configure the default

Posted By: William Hubbs

Stable ia64 keywords removed - 30/03/2020 00:00 GMT

The Gentoo/IA64 team no longer thinks that the time invested in package
stabilization is warranted for the small number of users on IA64. As a
result, we will drop all "ia64" keywords to "~ia64" on 2020-04-03 and will
add "~ia64" to ACCEPT_KEYWORDS in the profile.

Users need not make any changes to their systems, and the Gentoo/IA64 team
has no plans to remove support for the architecture.

Posted By: Matt Turner

OpenSSH 8.2_p1 running sshd breakage - 20/02/2020 00:00 GMT

If sshd is running, and a system is upgraded from
=net-misc/openssh-8.2_p1, any new ssh
connection will fail until sshd is restarted.

Before restarting sshd, it is *strongly* recommended that you test your
configuration with the following command (as root):
    sshd -t

If your system is booted with openrc, use this command (as root) 
to restart sshd:
    rc-service sshd --nodeps restart

If your system is booted with systemd, use this command (as root)
to restart sshd:
    systemctl restart sshd

WARNING: On systemd booted machines with PAM disabled, this command
         will terminate all currently open ssh connections. It is 
         *strongly* recommended that you validate your configuration
         before restarting sshd.

If you are using systemd socket activation for sshd, then no action is

Posted By: Patrick McLean