1 |
Hi, It was my project. The portage changed a lot since that time, I can try |
2 |
to renew it, if it's still used. |
3 |
|
4 |
|
5 |
2014-02-12 17:45 GMT+06:00 Michael Palimaka <kensington@g.o>: |
6 |
|
7 |
> On 02/12/2014 04:56 PM, Brian Dolbec wrote: |
8 |
> > On Wed, 12 Feb 2014 01:36:01 +1100 |
9 |
> > Michael Palimaka <kensington@g.o> wrote: |
10 |
> > |
11 |
> >> On 02/12/2014 01:03 AM, Rich Freeman wrote: |
12 |
> >>> On Tue, Feb 11, 2014 at 7:39 AM, Michael Palimaka |
13 |
> >>> <kensington@g.o> wrote: |
14 |
> >>>> On 02/11/2014 11:34 PM, Rich Freeman wrote: |
15 |
> >>>> |
16 |
> >>>>> One of those ideas I've always wanted to implement is to create a |
17 |
> >>>>> portage hook/patch that looks at the dependencies for the package |
18 |
> >>>>> being built and configures sandbox to block read-access to |
19 |
> >>>>> anything that wasn't explicitly declared. Sandbox works for |
20 |
> >>>>> read-access as well as write-access, though |
21 |
> >>>>> in /etc/sandbox.d/00default read-access is enabled everywhere by |
22 |
> >>>>> default. |
23 |
> >>>>> |
24 |
> >>>>> And, yes, it could be configured to allow access to @system... |
25 |
> >>>> That's pretty much what emerge_strict does. |
26 |
> >>> |
27 |
> >>> What is emerge_strict? The Google is failing me here... |
28 |
> >>> |
29 |
> >>> Rich |
30 |
> >>> |
31 |
> >>> |
32 |
> >> Sorry, I should have clarified. It's provided by autodep, extending |
33 |
> >> the dependency analysis by denying access to any files not part of the |
34 |
> >> specified dependencies and @system. |
35 |
> >> |
36 |
> >> |
37 |
> > |
38 |
> > There was a gentoo gsoc project a few years ago that did exactly this |
39 |
> > for doing dep checks on ebuilds. There was also one for determining |
40 |
> > deps automatically. |
41 |
> > |
42 |
> > Is this the project mentioned? ^^^ |
43 |
> > |
44 |
> |
45 |
> Should be, autodep was GSoC 2011. |
46 |
> |
47 |
> |
48 |
> |