On Thu, Jun 09, 2022 at 07:49:04PM +0200, Sebastian Pipping wrote:
> On 08.06.22 22:42, Robin H. Johnson wrote:
> > EGO_SUM vs dependency tarballs:
> > [..]
> > - EGO_SUM is verifiable/reproducible from Upstream Go systems
>
> Let's be explicit, there is a _security_ threat here: as a user of an
On 08.06.22 22:42, Robin H. Johnson wrote:
EGO_SUM vs dependency tarballs:
[..]
- EGO_SUM is verifiable/reproducible from Upstream Go systems
Let's be explicit, there is a _security_ threat here: as a user of an
ebuild, dependency tarballs now take effort in manual review just to
confirm that
On Fri, Jun 03, 2022 at 01:18:08PM +0200, Florian Schmaus wrote:
> EGO_SUM is marked as 'deprecated' in go-module.eclass [1, 2]. I
> acknowledge that there are packages where the usage of EGO_SUM is very
> problematic. However, I wonder if there are packages where using
> dependency tarballs is
On Fri, Jun 03, 2022 at 01:18:08PM +0200, Florian Schmaus wrote:
> EGO_SUM is marked as 'deprecated' in go-module.eclass [1, 2]. I
> acknowledge that there are packages where the usage of EGO_SUM is very
> problematic. However, I wonder if there are packages where using
> dependency tarballs is
EGO_SUM is marked as 'deprecated' in go-module.eclass [1, 2]. I
acknowledge that there are packages where the usage of EGO_SUM is very
problematic. However, I wonder if there are packages where using
dependency tarballs is problematic while using EGO_SUM would be not.
Take for example an
