1 |
On 08.06.22 22:42, Robin H. Johnson wrote: |
2 |
> EGO_SUM vs dependency tarballs: |
3 |
> [..] |
4 |
> - EGO_SUM is verifiable/reproducible from Upstream Go systems |
5 |
|
6 |
Let's be explicit, there is a _security_ threat here: as a user of an |
7 |
ebuild, dependency tarballs now take effort in manual review just to |
8 |
confirm that the content full matches its supposed list of ingredients. |
9 |
They are the perfect place to hide malicious code in plain sight. Now |
10 |
with dependency tarballs, there is a new layer that by design will |
11 |
likely be chronically under-audited. It gives me shivers, frankly. |
12 |
Previously with a manifest and upstream-only URLs, only upstream can add |
13 |
malicious code, not downstream in Gentoo. |
14 |
|
15 |
Best |
16 |
|
17 |
|
18 |
|
19 |
Sebastian |