Gentoo Archives: gentoo-dev

From: Sebastian Pipping <sping@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] About EGO_SUM
Date: Thu, 09 Jun 2022 17:49:20
In Reply to: Re: [gentoo-dev] About EGO_SUM by "Robin H. Johnson"
1 On 08.06.22 22:42, Robin H. Johnson wrote:
2 > EGO_SUM vs dependency tarballs:
3 > [..]
4 > - EGO_SUM is verifiable/reproducible from Upstream Go systems
6 Let's be explicit, there is a _security_ threat here: as a user of an
7 ebuild, dependency tarballs now take effort in manual review just to
8 confirm that the content full matches its supposed list of ingredients.
9 They are the perfect place to hide malicious code in plain sight. Now
10 with dependency tarballs, there is a new layer that by design will
11 likely be chronically under-audited. It gives me shivers, frankly.
12 Previously with a manifest and upstream-only URLs, only upstream can add
13 malicious code, not downstream in Gentoo.
15 Best
19 Sebastian


Subject Author
Re: [gentoo-dev] About EGO_SUM Anna <cyber+gentoo@×××××.in>
Re: [gentoo-dev] About EGO_SUM John Helmert III <ajak@g.o>