1 |
Alec Warner wrote: |
2 |
> This is to prevent people from sticking a random unchecksum'd ebuild in |
3 |
> your tree and then having portage source it for depend() metadata and |
4 |
> then getting bitten by some global scope nasties. |
5 |
|
6 |
Is this really the correct solution to this "problem"? |
7 |
|
8 |
I can't see the use case: do people really download (potentially |
9 |
malicious) ebuilds, stick them in their overlay, and then *not* use them? |
10 |
|
11 |
Somehow I don't think that's true - people will generally download |
12 |
ebuilds, and use them (even if they fail during compilation, they will |
13 |
have been used in some form). |
14 |
|
15 |
If you start requiring people to create Manifests for these ebuilds, |
16 |
they will do so, and this has not changed the security implications of |
17 |
these "untrusted" ebuilds. |
18 |
|
19 |
Am I missing something? |
20 |
|
21 |
Daniel |
22 |
-- |
23 |
gentoo-dev@g.o mailing list |