From bc09907c8c1106b6c4900dfaa742249f17ec148b Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 8 Jun 2016 12:23:04 -0700 Subject: [PATCH] profile: begin explicitly masking packages for prod images This serves as a sanity check to avoid mistakes like pulling in python. --- .../profiles/coreos/targets/generic/prod/README | 2 +- .../coreos/targets/generic/prod/package.mask | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README index a7b67190ee..0017236a1a 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README @@ -4,4 +4,4 @@ Settings here must *ONLY* influence installing binary packages and never change build time settings like USE or CFLAGS because binary packages are shared between dev and prod, dev just includes more stuff. -For example, INSTALL_MASK and package.provided are ok. +For example INSTALL_MASK, package.mask, and package.provided are ok. diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask new file mode 100644 index 0000000000..2f252c78ed --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask @@ -0,0 +1,15 @@ +# Packages that we do not want to ship in production images. Masking these +# is merely as a safe guard against pulling them in accidentally. + +# We don't want to support interpreted languages, changes/updates we make +# would have a high risk of breaking users. +dev-lang/perl +# TODO dev-lang/python +dev-lang/ruby + +# Since all SSL/TLS implementations are bad we minimize the number we ship. +net-libs/gnutls + +# We do not configure/install grub like other distros so shipping the user +# space tools would have limited utility. +sys-boot/grub