| 1 |
Alec Warner wrote: |
| 2 |
> This is to prevent people from sticking a random unchecksum'd ebuild in |
| 3 |
> your tree and then having portage source it for depend() metadata and |
| 4 |
> then getting bitten by some global scope nasties. |
| 5 |
|
| 6 |
Is this really the correct solution to this "problem"? |
| 7 |
|
| 8 |
I can't see the use case: do people really download (potentially |
| 9 |
malicious) ebuilds, stick them in their overlay, and then *not* use them? |
| 10 |
|
| 11 |
Somehow I don't think that's true - people will generally download |
| 12 |
ebuilds, and use them (even if they fail during compilation, they will |
| 13 |
have been used in some form). |
| 14 |
|
| 15 |
If you start requiring people to create Manifests for these ebuilds, |
| 16 |
they will do so, and this has not changed the security implications of |
| 17 |
these "untrusted" ebuilds. |
| 18 |
|
| 19 |
Am I missing something? |
| 20 |
|
| 21 |
Daniel |
| 22 |
-- |
| 23 |
gentoo-dev@g.o mailing list |
Archives