1 |
On Sun, 03 Feb 2019 20:28:49 +0100 |
2 |
Michał Górny <mgorny@g.o> wrote: |
3 |
|
4 |
> Believe me, we don't really review the code of every |
5 |
> submitted package, and if somebody wrote a program with malicious |
6 |
> functionality and wanted to package it, it will probably be accepted. |
7 |
|
8 |
To me, this is a very good argument, not in favor of GURU, but in favor |
9 |
of halting the proxy-maint project. Being able to trust the security of |
10 |
the Gentoo tree should be given more priority than allowing users to |
11 |
get their favorite packages in the tree. |
12 |
|
13 |
The biggest roadblock to a project like this is the trust issue: I can |
14 |
end up trusting an individual overlay if I think it's managed well, but |
15 |
I can't possibly trust GURU for the same reasons I can't trust AUR: |
16 |
it's inherently insecure. |
17 |
|
18 |
We can always tell users "but you're supposed to review ebuilds |
19 |
yourself!", but even with a big fat warning, people will use it in |
20 |
"yolo" mode and even develop yaourt-like tools to make the yolo mode |
21 |
easier. |
22 |
|
23 |
Sure, there might be a demand from some user from this kind of |
24 |
repository, but like Michael, I think that associating the Gentoo |
25 |
organisation with this kind of insecure mechanism is unwise. |
26 |
|
27 |
From what I see in the wild, some overlays are already well organized. |
28 |
Maybe we should list those well-organized overlays somewhere |
29 |
"official" to encourage them to grow further? |
30 |
|
31 |
Virgil |