1 |
On Mon, Feb 4, 2019 at 10:09 AM Alexis Ballier <aballier@g.o> wrote: |
2 |
> |
3 |
> Now, I want to install an ebuild from that overlay: I review said |
4 |
> ebuild, seems fine, so I add & enable the overlay. Except, someone just |
5 |
> pushed a malicious app-shells/bash running malicious code at global |
6 |
> scope. Last I checked portage will source it and in the best case |
7 |
> output a warning about running commands at global scope. I am now pwned. |
8 |
> |
9 |
|
10 |
Sure, hence my comment in my earlier email about having to have more |
11 |
fine-grained controls around what gets pulled in. You really want |
12 |
users to be pulling individual packages out of something like this and |
13 |
not the entire repository, and you don't want even the individual |
14 |
packages unless they're reviewing every one or somebody else they can |
15 |
trust is doing so. |
16 |
|
17 |
You can't just trust something like this the way you'd trust your own |
18 |
overlay or whatever. |
19 |
|
20 |
-- |
21 |
Rich |