Gentoo Archives: gentoo-project

From: Virgil Dupras <vdupras@g.o>
To: gentoo-project@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 14:28:52
Message-Id: 20190204092845.4efc14d437da8a5da62df0b2@gentoo.org
In Reply to: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] by "Michał Górny"
1 On Sun, 03 Feb 2019 20:28:49 +0100
2 Michał Górny <mgorny@g.o> wrote:
3
4 > Believe me, we don't really review the code of every
5 > submitted package, and if somebody wrote a program with malicious
6 > functionality and wanted to package it, it will probably be accepted.
7
8 To me, this is a very good argument, not in favor of GURU, but in favor
9 of halting the proxy-maint project. Being able to trust the security of
10 the Gentoo tree should be given more priority than allowing users to
11 get their favorite packages in the tree.
12
13 The biggest roadblock to a project like this is the trust issue: I can
14 end up trusting an individual overlay if I think it's managed well, but
15 I can't possibly trust GURU for the same reasons I can't trust AUR:
16 it's inherently insecure.
17
18 We can always tell users "but you're supposed to review ebuilds
19 yourself!", but even with a big fat warning, people will use it in
20 "yolo" mode and even develop yaourt-like tools to make the yolo mode
21 easier.
22
23 Sure, there might be a demand from some user from this kind of
24 repository, but like Michael, I think that associating the Gentoo
25 organisation with this kind of insecure mechanism is unwise.
26
27 From what I see in the wild, some overlays are already well organized.
28 Maybe we should list those well-organized overlays somewhere
29 "official" to encourage them to grow further?
30
31 Virgil