Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 15:21:04
Message-Id: CAGfcS_=H-W-S5cjiG7tZgmHhROMHSYfF3BvVDpti3-keADESew@mail.gmail.com
On Mon, Feb 4, 2019 at 10:09 AM Alexis Ballier <aballier@g.o> wrote:
> > Now, I want to install an ebuild from that overlay: I review said > ebuild, seems fine, so I add & enable the overlay. Except, someone just > pushed a malicious app-shells/bash running malicious code at global > scope. Last I checked portage will source it and in the best case > output a warning about running commands at global scope. I am now pwned. >
Sure, hence my comment in my earlier email about having to have more fine-grained controls around what gets pulled in. You really want users to be pulling individual packages out of something like this and not the entire repository, and you don't want even the individual packages unless they're reviewing every one or somebody else they can trust is doing so. You can't just trust something like this the way you'd trust your own overlay or whatever. -- Rich