On 08.06.22 22:42, Robin H. Johnson wrote:
EGO_SUM vs dependency tarballs: [..] - EGO_SUM is verifiable/reproducible from Upstream Go systems
Let's be explicit, there is a _security_ threat here: as a user of an ebuild, dependency tarballs now take effort in manual review just to confirm that the content full matches its supposed list of ingredients. They are the perfect place to hide malicious code in plain sight. Now with dependency tarballs, there is a new layer that by design will likely be chronically under-audited. It gives me shivers, frankly. Previously with a manifest and upstream-only URLs, only upstream can add malicious code, not downstream in Gentoo. Best Sebastian
