From: "Anna (cybertailor) Vyalkova" <cyber+gentoo@sysrq.in>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] Re: EGO_SUM
Date: Mon, 17 Apr 2023 14:28:22 +0500 [thread overview]
Message-ID: <ZD0RNtGkxravYYUf@sysrq.in> (raw)
In-Reply-To: <49ce8700-6c96-9360-51cf-2a989f666752@gentoo.org>
On 2023-04-17 09:37, Florian Schmaus wrote:
> The EGO_SUM alternatives
> - do not have the same level of trust and therefore have a negative
> impact on security (a dubious tarball someone put somewhere, especially
> when proxy-maint)
Solution: generate release tarballs in upstream CI/CD.
> - are not easily verifiable
`go mod verify` (called by eclass) does part of the job.
> - require additional effort when developing ebuilds
Generating EGO_SUM needs effort on every bump too.
> - hinder the packaging and Gentoo's adoption of Go-based projects, which
> is worrisome as Go is very popular
Go's approach to package management is the prime cause after all.
Downstream can only choose what workaround to apply.
> - prevent Go modules from being shared as DISTFILES on the mirrors
> across various packages
Go modules often use pinned commits, so only a small share is reused.
> Last but not least, we have the same situation in the Rust ecosystem,
> but we allow the EGO_SUM "equivalent" there.
Rust crates are not such a disaster as Go modules.
next prev parent reply other threads:[~2023-04-17 9:28 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-17 7:37 [gentoo-dev] EGO_SUM Florian Schmaus
2023-04-17 9:28 ` Anna (cybertailor) Vyalkova [this message]
2023-04-27 18:00 ` [gentoo-dev] EGO_SUM William Hubbs
2023-04-27 18:18 ` David Seifert
2023-04-24 16:11 ` Florian Schmaus
2023-04-24 20:28 ` Sam James
2023-04-24 22:52 ` Alexey Zapparov
2023-04-26 15:31 ` Florian Schmaus
2023-04-26 16:12 ` Matt Turner
2023-04-26 19:31 ` Andrew Ammerlaan
2023-04-26 19:38 ` Chris Pritchard
2023-04-26 20:47 ` Matt Turner
2023-04-27 7:58 ` Florian Schmaus
2023-04-27 9:24 ` Ulrich Mueller
2023-04-28 6:59 ` Florian Schmaus
2023-04-27 12:54 ` Michał Górny
2023-04-27 23:12 ` Pascal Jäger
2023-04-28 0:38 ` Sam James
2023-04-28 4:27 ` Michał Górny
2023-04-28 5:31 ` Sam James
2023-04-28 6:59 ` Florian Schmaus
2023-04-28 14:34 ` Michał Górny
2023-05-02 19:32 ` Florian Schmaus
2023-05-02 19:38 ` Sam James
2023-04-29 22:34 ` Robin H. Johnson
2023-04-27 21:16 ` Sam James
2023-05-02 19:32 ` Florian Schmaus
2023-05-02 19:45 ` Sam James
2023-05-08 7:53 ` Florian Schmaus
2023-05-08 12:03 ` Michał Górny
2023-05-22 7:14 ` Florian Schmaus
2023-05-02 20:04 ` Matt Turner
2023-05-08 7:53 ` Florian Schmaus
2023-04-26 20:51 ` Sam James
2023-05-30 15:52 ` Florian Schmaus
2023-05-30 16:30 ` Anna (cybertailor) Vyalkova
2023-05-31 5:02 ` Oskari Pirhonen
2023-05-30 16:35 ` Arthur Zamarin
2023-05-31 6:20 ` Andrew Ammerlaan
2023-05-31 8:40 ` Ryan Qian
2023-05-31 9:06 ` Arsen Arsenović
2023-05-31 6:30 ` pascal.jaeger leimstift.de
2023-06-01 4:00 ` William Hubbs
2023-06-02 8:17 ` Florian Schmaus
2023-06-02 8:31 ` Michał Górny
2023-06-09 10:07 ` Florian Schmaus
2023-06-01 19:55 ` [gentoo-dev] EGO_SUM William Hubbs
2023-06-02 7:13 ` Joonas Niilola
2023-06-02 18:06 ` William Hubbs
2023-06-02 18:42 ` Joonas Niilola
2023-06-09 10:07 ` Florian Schmaus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZD0RNtGkxravYYUf@sysrq.in \
--to=cyber+gentoo@sysrq.in \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox