List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Mike Frysinger wrote:
> On Saturday 24 June 2006 18:54, Edward Catmur wrote:
>> * Security (from malicious contributors): Glad to see layman will only
>> track the reviewed/ tree; still, anyone who checks out the sunrise/ tree
>> (and has it in PORTDIR_OVERLAY) is vulnerable.
>> - Remove from the examples any suggestion that one should check out the
>> whole tree when contributing. Point out that one should not svn up
>> sunrise/ as part of updating Portage.
> valid point i think
The guide has been edited to inform users that they should *not* use the
sunrise/ tree for any reason other than committing. Now, in the
HowToCommit guide, near the instructions for checking out the sunrise/
tree, it clearly states that you should not set it as your
PORTDIR_OVERLAY, but use the reviewed/ instead.
> ive never admined svn repos before, but would it be possible to shut off anon
> access to the non-reviewed tree ? i think that would cover this issue as
> people who get bit by bugs in the non-reviewed tree would (and should) be
> able to just go in and fix it themselves :)
As far as I understand, not allowing anonymous users to check out the
sunrise/ directory *is* going to be implemented in the future, but you
should get a second word from genstef or jokey on that as I'm not
GnuPG Public Key: 0x4B8FE14B