| 1 |
>>>>> On Wed, 28 Sep 2022, Florian Schmaus wrote: |
| 2 |
|
| 3 |
> I would like to continue discussing whether we should entirely |
| 4 |
> deprecate EGO_SUM without the desire to offend anyone. |
| 5 |
|
| 6 |
> We now have a pending GitHub PR that bumps restic to 0.14 [1]. Restic |
| 7 |
> is a very popular backup software written in Go. The PR drops EGO_SUM |
| 8 |
> in favor of a vendor tarball created by the proxied maintainer. |
| 9 |
> However, I am unaware of any tool that lets you practically audit the |
| 10 |
> 35 MiB source contained in the tarball. And even if such a tool |
| 11 |
> exists, this would mean another manual step is required, which is, |
| 12 |
> potentially, skipped most of the time, weakening our user's security. |
| 13 |
> This is because I believe neither our tooling, e.g., go-mod.eclass, |
| 14 |
> nor any Golang tooling, does authenticate the contents of the vendor |
| 15 |
> tarball against upstream's go.sum. But please correct me if I am |
| 16 |
> wrong. |
| 17 |
|
| 18 |
> I wonder if we can reach consensus around un-depreacting EGO_SUM, but |
| 19 |
> discouraging its usage in certain situations. That is, provide EGO_SUM |
| 20 |
> as option but disallow its use if |
| 21 |
> 1.) *upstream* provides a vendor tarball |
| 22 |
> 2.) the number of EGO_SUM entries exceeds 1000 and a Gentoo developer |
| 23 |
> maintains the package |
| 24 |
> 3.) the number of EGO_SUM entries exceeds 1500 and a proxied |
| 25 |
> maintainer maintains the package |
| 26 |
|
| 27 |
These numbers seem quite large, compared to the mean number of 3.4 |
| 28 |
distfiles for packages in the Gentoo repository. (The median and the |
| 29 |
99-percentile are 1 and 22, respectively.) |
| 30 |
|
| 31 |
Ulrich |
Archives