| 1 |
On Thu, Jun 09, 2022 at 07:49:04PM +0200, Sebastian Pipping wrote: |
| 2 |
> On 08.06.22 22:42, Robin H. Johnson wrote: |
| 3 |
> > EGO_SUM vs dependency tarballs: |
| 4 |
> > [..] |
| 5 |
> > - EGO_SUM is verifiable/reproducible from Upstream Go systems |
| 6 |
> |
| 7 |
> Let's be explicit, there is a _security_ threat here: as a user of an |
| 8 |
> ebuild, dependency tarballs now take effort in manual review just to |
| 9 |
> confirm that the content full matches its supposed list of ingredients. |
| 10 |
> They are the perfect place to hide malicious code in plain sight. Now |
| 11 |
> with dependency tarballs, there is a new layer that by design will |
| 12 |
> likely be chronically under-audited. It gives me shivers, frankly. |
| 13 |
> Previously with a manifest and upstream-only URLs, only upstream can add |
| 14 |
> malicious code, not downstream in Gentoo. |
| 15 |
|
| 16 |
There are many packages in ::gentoo that use tarballs of patches |
| 17 |
written and hosted by Gentoo developers, or tarballs of source code |
| 18 |
generated by developers themselves. A (very) rough grep shows this is |
| 19 |
very prevalent: |
| 20 |
|
| 21 |
~/gentoo/gentoo $ grep -r SRC_URI.*dev.gentoo.org | wc -l |
| 22 |
2845 |
| 23 |
|
| 24 |
So this problem isn't really new. Users are required to trust Gentoo |
| 25 |
packagers that we don't do naughty things to the source code, more or |
| 26 |
less just like any other distribution. |
Archives