| 1 |
On Mon, Feb 4, 2019 at 10:09 AM Alexis Ballier <aballier@g.o> wrote: |
| 2 |
> |
| 3 |
> Now, I want to install an ebuild from that overlay: I review said |
| 4 |
> ebuild, seems fine, so I add & enable the overlay. Except, someone just |
| 5 |
> pushed a malicious app-shells/bash running malicious code at global |
| 6 |
> scope. Last I checked portage will source it and in the best case |
| 7 |
> output a warning about running commands at global scope. I am now pwned. |
| 8 |
> |
| 9 |
|
| 10 |
Sure, hence my comment in my earlier email about having to have more |
| 11 |
fine-grained controls around what gets pulled in. You really want |
| 12 |
users to be pulling individual packages out of something like this and |
| 13 |
not the entire repository, and you don't want even the individual |
| 14 |
packages unless they're reviewing every one or somebody else they can |
| 15 |
trust is doing so. |
| 16 |
|
| 17 |
You can't just trust something like this the way you'd trust your own |
| 18 |
overlay or whatever. |
| 19 |
|
| 20 |
-- |
| 21 |
Rich |
Archives