| 1 |
> > The metadata cache is "inert" in the sense that it isn't executable |
| 2 |
> > code (and if anyone tries to execute it ... "You're doing it wrong" |
| 3 |
> > comes to mind"), so adding it does not pessimize the situation. |
| 4 |
> |
| 5 |
> But generating that cache means running code, and one of the things |
| 6 |
> that code could do is modify every overlay distributed by the box in |
| 7 |
> question such that anyone using any of those overlays will run |
| 8 |
> arbitrary code whenever they do emerge -p world. |
| 9 |
|
| 10 |
Good, this means we have to isolate it so that only each overlay itself exists |
| 11 |
in an environment that generates the metadata cache. A bit bothersome, but |
| 12 |
nothing more than adding a line or two to the script(s) that drive(s) this |
| 13 |
process. |
| 14 |
|
| 15 |
> > Hmm. I can't think of any sane way to prevent people from writing bad |
| 16 |
> > ebuilds. And I also can't think of a reliable method to detect such |
| 17 |
> > or prevent users from trying to use them. In short, we just have to |
| 18 |
> > trust people. As a sidenote, we just randomly trust devs too. And it |
| 19 |
> > usually works ... |
| 20 |
> |
| 21 |
> There's a big difference between the levels of verification done for |
| 22 |
> developers and that which is done for overlay maintainers. Currently, |
| 23 |
> any overlay maintainer can root any box on which their overlay is used |
| 24 |
> (whether or not anything from that overlay is installed). You're |
| 25 |
> escalating this to any layman-listed overlay maintainer being able to |
| 26 |
> root any box using any layman-listed overlay. |
| 27 |
|
| 28 |
Right, that would be silly. So ... we can restrict the whole concept to |
| 29 |
official overlays if we want (trust and all that), and we can keep separate |
| 30 |
environments per overlay to avoid cross-contamination. Which keeps us about as |
| 31 |
exposed as the status quo, but we make updates and dep calculation faster (at |
| 32 |
least for those overlays that are in a sane condition). |
| 33 |
|
| 34 |
Y'know, what would be even more fun than this pingpong would be a consistent |
| 35 |
counterproposal from you. Point out all the issues at once instead of one per |
| 36 |
email and all that. Like this we're at the third or fourth iteration, people |
| 37 |
(including me) get bored with the whole thread and some half-baked thing gets |
| 38 |
implemented because only three people manage to read the mail thread to its |
| 39 |
end ... |
Archives