| 1 |
Hi, |
| 2 |
|
| 3 |
I'm wondering if we're doing the right things by adding KEYWORDS to |
| 4 |
packages using cdrom.eclass. After all, it's somewhat similar to live |
| 5 |
ebuilds. That is, data is fetched outside regular PM mechanisms (though |
| 6 |
not implicitly through Internet, arguably) and it is not covered by any |
| 7 |
checksums. |
| 8 |
|
| 9 |
This creates a somewhat gaping security hole to anyone using those |
| 10 |
packages. After all, the ebuilds are going to happily install any |
| 11 |
malware you might have on that CD without even thinking twice about it. |
| 12 |
In fact, with construction of many ebuilds it is entirely plausible that |
| 13 |
additional unexpected files may end up being installed. |
| 14 |
|
| 15 |
To be honest, I don't think this is a problem that could be fixed. |
| 16 |
Technically, we could add some kind of, say, b2sum lists to ebuilds |
| 17 |
and verify installed files against them. However, the way I understand |
| 18 |
we frequently aim to support different releases of the same product, |
| 19 |
that may have wildly differing checksums. |
| 20 |
|
| 21 |
So maybe the most obvious solution would be to remove KEYWORDS from |
| 22 |
ebuilds unconditionally using cdrom.eclass (and their reverse |
| 23 |
dependencies), and mask USE=cdinstall on the rest. |
| 24 |
|
| 25 |
WDYT? |
| 26 |
|
| 27 |
-- |
| 28 |
Best regards, |
| 29 |
Michał Górny |
Archives