On Thu, Jun 09, 2022 at 07:49:04PM +0200, Sebastian Pipping wrote: > On 08.06.22 22:42, Robin H. Johnson wrote: > > EGO_SUM vs dependency tarballs: > > [..] > > - EGO_SUM is verifiable/reproducible from Upstream Go systems > > Let's be explicit, there is a _security_ threat here: as a user of an > ebuild, dependency tarballs now take effort in manual review just to > confirm that the content full matches its supposed list of ingredients. > They are the perfect place to hide malicious code in plain sight. Now > with dependency tarballs, there is a new layer that by design will > likely be chronically under-audited. It gives me shivers, frankly. > Previously with a manifest and upstream-only URLs, only upstream can add > malicious code, not downstream in Gentoo.
There are many packages in ::gentoo that use tarballs of patches written and hosted by Gentoo developers, or tarballs of source code generated by developers themselves. A (very) rough grep shows this is very prevalent: ~/gentoo/gentoo $ grep -r SRC_URI.*dev.gentoo.org | wc -l 2845 So this problem isn't really new. Users are required to trust Gentoo packagers that we don't do naughty things to the source code, more or less just like any other distribution.
signature.asc
Description: PGP signature
