1 |
>>>>> On Wed, 28 Sep 2022, Florian Schmaus wrote: |
2 |
|
3 |
> I would like to continue discussing whether we should entirely |
4 |
> deprecate EGO_SUM without the desire to offend anyone. |
5 |
|
6 |
> We now have a pending GitHub PR that bumps restic to 0.14 [1]. Restic |
7 |
> is a very popular backup software written in Go. The PR drops EGO_SUM |
8 |
> in favor of a vendor tarball created by the proxied maintainer. |
9 |
> However, I am unaware of any tool that lets you practically audit the |
10 |
> 35 MiB source contained in the tarball. And even if such a tool |
11 |
> exists, this would mean another manual step is required, which is, |
12 |
> potentially, skipped most of the time, weakening our user's security. |
13 |
> This is because I believe neither our tooling, e.g., go-mod.eclass, |
14 |
> nor any Golang tooling, does authenticate the contents of the vendor |
15 |
> tarball against upstream's go.sum. But please correct me if I am |
16 |
> wrong. |
17 |
|
18 |
> I wonder if we can reach consensus around un-depreacting EGO_SUM, but |
19 |
> discouraging its usage in certain situations. That is, provide EGO_SUM |
20 |
> as option but disallow its use if |
21 |
> 1.) *upstream* provides a vendor tarball |
22 |
> 2.) the number of EGO_SUM entries exceeds 1000 and a Gentoo developer |
23 |
> maintains the package |
24 |
> 3.) the number of EGO_SUM entries exceeds 1500 and a proxied |
25 |
> maintainer maintains the package |
26 |
|
27 |
These numbers seem quite large, compared to the mean number of 3.4 |
28 |
distfiles for packages in the Gentoo repository. (The median and the |
29 |
99-percentile are 1 and 22, respectively.) |
30 |
|
31 |
Ulrich |