1 |
On 2022-06-09 19:49, Sebastian Pipping wrote: |
2 |
> On 08.06.22 22:42, Robin H. Johnson wrote: |
3 |
> > EGO_SUM vs dependency tarballs: |
4 |
> > [..] |
5 |
> > - EGO_SUM is verifiable/reproducible from Upstream Go systems |
6 |
> |
7 |
> Let's be explicit, there is a _security_ threat here: as a user of an |
8 |
> ebuild, dependency tarballs now take effort in manual review just to |
9 |
> confirm that the content full matches its supposed list of ingredients. |
10 |
> They are the perfect place to hide malicious code in plain sight. Now |
11 |
> with dependency tarballs, there is a new layer that by design will |
12 |
> likely be chronically under-audited. It gives me shivers, frankly. |
13 |
> Previously with a manifest and upstream-only URLs, only upstream can add |
14 |
> malicious code, not downstream in Gentoo. |
15 |
|
16 |
I think dependency tarballs are a temporary solution. Maintainers should |
17 |
send upstream patches for their release CI/scripts to include the |
18 |
"vendor" directory. |
19 |
|
20 |
Seems like there will be an option in goreleaser soon: |
21 |
https://github.com/goreleaser/goreleaser/issues/2911 |
22 |
|
23 |
I do it with just 'go' and 'tar' for the time being. |