Eli Schwartz posted on Sun, 24 Aug 2025 15:32:07 -0400 as excerpted: > I am opposed to implementing anything which constitutes "security > theater as a matter of policy". Security theater is a *net negative*. It > makes people think that security guarantees exist which don't in fact > exist, and they let down their guard.
So yeah, it's theater, and I agree, certainly net-negative (and FWIW I'd have worded it as flat dangerous, at least as-is!) in general, in part because it seems to prove something it doesn't. Jayf does have a point, however. Theater tho it may be, what happens if some how, some way, that theater catches something upstream and gentoo doesn't because it didn't implement it? So I asked myself if there was a way to counteract that negative/dangerous bit while still doing the hoop-jump theater to counteract jayf's what-if as well? I can't seem to grep it any longer, but some years ago I recall coming across a USE flag for some package: gaping-security-hole (or some such, that's from memory). Naturally on seeing that flag I had to equery uses the package to see just what sort of description that USE flag had, and it was pretty much what the name suggested, but (reading a bit more into things than was actually explicit) apparently a presumably large site installation had some sort of local use-case where the security concerns didn't apply, so given that it had an upstream-available config option, the Gentoo maintainer had obliged them with a USE flag but labeled it exactly what he considered it to be in the process. That was a memorable USE flag! Borrowing that blatant call-out idea, what if we called it PYPI_VERIFICATION_THEATER or PYPI_HOOP_JUMPING_THEATER instead of PYPI_VERIFY_REPO, with accordingly matched low-level function names? Or even PYPI_FAKE_VERIFICATION or PYPI_VERIFICATION_FAKEOUT and etc, to more directly call it what it is... >From here that looks to get the message across both for Gentoo devs and upstream/downstream if anyone cares to look, while never-the-less going through the motions upstream's proposing in case jayf somehow some way looks prescient in a couple years. (No offense intended jayf, tho surely you'd rather you didn't, too! =:^) Of course if upstream ever does the second step and gets the halt-on- change sam's quote pointed to working we'd arguably want to tone down our names a bit, but at least we'd have worked out any bugs in our initial implementation during the theater (aka dry-run test) period, and that bit should continue to work once there's at least /some/ value to it. Not that I'll be broken-hearted if that proposal isn't implemented, but the option is there... -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
