1 |
> > The metadata cache is "inert" in the sense that it isn't executable |
2 |
> > code (and if anyone tries to execute it ... "You're doing it wrong" |
3 |
> > comes to mind"), so adding it does not pessimize the situation. |
4 |
> |
5 |
> But generating that cache means running code, and one of the things |
6 |
> that code could do is modify every overlay distributed by the box in |
7 |
> question such that anyone using any of those overlays will run |
8 |
> arbitrary code whenever they do emerge -p world. |
9 |
|
10 |
Good, this means we have to isolate it so that only each overlay itself exists |
11 |
in an environment that generates the metadata cache. A bit bothersome, but |
12 |
nothing more than adding a line or two to the script(s) that drive(s) this |
13 |
process. |
14 |
|
15 |
> > Hmm. I can't think of any sane way to prevent people from writing bad |
16 |
> > ebuilds. And I also can't think of a reliable method to detect such |
17 |
> > or prevent users from trying to use them. In short, we just have to |
18 |
> > trust people. As a sidenote, we just randomly trust devs too. And it |
19 |
> > usually works ... |
20 |
> |
21 |
> There's a big difference between the levels of verification done for |
22 |
> developers and that which is done for overlay maintainers. Currently, |
23 |
> any overlay maintainer can root any box on which their overlay is used |
24 |
> (whether or not anything from that overlay is installed). You're |
25 |
> escalating this to any layman-listed overlay maintainer being able to |
26 |
> root any box using any layman-listed overlay. |
27 |
|
28 |
Right, that would be silly. So ... we can restrict the whole concept to |
29 |
official overlays if we want (trust and all that), and we can keep separate |
30 |
environments per overlay to avoid cross-contamination. Which keeps us about as |
31 |
exposed as the status quo, but we make updates and dep calculation faster (at |
32 |
least for those overlays that are in a sane condition). |
33 |
|
34 |
Y'know, what would be even more fun than this pingpong would be a consistent |
35 |
counterproposal from you. Point out all the issues at once instead of one per |
36 |
email and all that. Like this we're at the third or fourth iteration, people |
37 |
(including me) get bored with the whole thread and some half-baked thing gets |
38 |
implemented because only three people manage to read the mail thread to its |
39 |
end ... |