1 |
Hi, |
2 |
|
3 |
I'm wondering if we're doing the right things by adding KEYWORDS to |
4 |
packages using cdrom.eclass. After all, it's somewhat similar to live |
5 |
ebuilds. That is, data is fetched outside regular PM mechanisms (though |
6 |
not implicitly through Internet, arguably) and it is not covered by any |
7 |
checksums. |
8 |
|
9 |
This creates a somewhat gaping security hole to anyone using those |
10 |
packages. After all, the ebuilds are going to happily install any |
11 |
malware you might have on that CD without even thinking twice about it. |
12 |
In fact, with construction of many ebuilds it is entirely plausible that |
13 |
additional unexpected files may end up being installed. |
14 |
|
15 |
To be honest, I don't think this is a problem that could be fixed. |
16 |
Technically, we could add some kind of, say, b2sum lists to ebuilds |
17 |
and verify installed files against them. However, the way I understand |
18 |
we frequently aim to support different releases of the same product, |
19 |
that may have wildly differing checksums. |
20 |
|
21 |
So maybe the most obvious solution would be to remove KEYWORDS from |
22 |
ebuilds unconditionally using cdrom.eclass (and their reverse |
23 |
dependencies), and mask USE=cdinstall on the rest. |
24 |
|
25 |
WDYT? |
26 |
|
27 |
-- |
28 |
Best regards, |
29 |
Michał Górny |