Gentoo Archives: gentoo-project

From: Virgil Dupras <vdupras@g.o>
To: gentoo-project@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 14:28:52
Message-Id: 20190204092845.4efc14d437da8a5da62df0b2@gentoo.org
In Reply to: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] by "Michał Górny"
On Sun, 03 Feb 2019 20:28:49 +0100
Michał Górny <mgorny@g.o> wrote:

> Believe me, we don't really review the code of every > submitted package, and if somebody wrote a program with malicious > functionality and wanted to package it, it will probably be accepted.
To me, this is a very good argument, not in favor of GURU, but in favor of halting the proxy-maint project. Being able to trust the security of the Gentoo tree should be given more priority than allowing users to get their favorite packages in the tree. The biggest roadblock to a project like this is the trust issue: I can end up trusting an individual overlay if I think it's managed well, but I can't possibly trust GURU for the same reasons I can't trust AUR: it's inherently insecure. We can always tell users "but you're supposed to review ebuilds yourself!", but even with a big fat warning, people will use it in "yolo" mode and even develop yaourt-like tools to make the yolo mode easier. Sure, there might be a demand from some user from this kind of repository, but like Michael, I think that associating the Gentoo organisation with this kind of insecure mechanism is unwise. From what I see in the wild, some overlays are already well organized. Maybe we should list those well-organized overlays somewhere "official" to encourage them to grow further? Virgil