| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Daniel Drake wrote: |
| 5 |
> Alec Warner wrote: |
| 6 |
>> This is to prevent people from sticking a random unchecksum'd ebuild |
| 7 |
>> in your tree and then having portage source it for depend() metadata |
| 8 |
>> and then getting bitten by some global scope nasties. |
| 9 |
> |
| 10 |
> Is this really the correct solution to this "problem"? |
| 11 |
> |
| 12 |
> I can't see the use case: do people really download (potentially |
| 13 |
> malicious) ebuilds, stick them in their overlay, and then *not* use them? |
| 14 |
> |
| 15 |
> Somehow I don't think that's true - people will generally download |
| 16 |
> ebuilds, and use them (even if they fail during compilation, they will |
| 17 |
> have been used in some form). |
| 18 |
> |
| 19 |
> If you start requiring people to create Manifests for these ebuilds, |
| 20 |
> they will do so, and this has not changed the security implications of |
| 21 |
> these "untrusted" ebuilds. |
| 22 |
> |
| 23 |
> Am I missing something? |
| 24 |
> |
| 25 |
> Daniel |
| 26 |
|
| 27 |
The plan is to eventually include digital signature verification |
| 28 |
together with the Manifest verification. The framework isn't |
| 29 |
completely implemented yet, but we're beginning to put some of the |
| 30 |
required mechanisms into place. |
| 31 |
|
| 32 |
Considering that repoman users generally have complete trust in |
| 33 |
their cvs checkout, I suppose it would make sense to allow repoman |
| 34 |
features to be configured separately. For example, we could allow |
| 35 |
you to set REPOMAN_FEATURES="-strict" in make.conf so that you won't |
| 36 |
be bothered by broken Manifests when running repoman. |
| 37 |
|
| 38 |
Zac |
| 39 |
-----BEGIN PGP SIGNATURE----- |
| 40 |
Version: GnuPG v1.4.5 (GNU/Linux) |
| 41 |
|
| 42 |
iD8DBQFFc4bT/ejvha5XGaMRAiYbAJwIWJF7lCR7ICMmJGAfDOQlZNtlHACfYqJp |
| 43 |
fUERS53nyQ2kQf1QMb3rd5k= |
| 44 |
=5cht |
| 45 |
-----END PGP SIGNATURE----- |
| 46 |
-- |
| 47 |
gentoo-dev@g.o mailing list |
Archives