From: Florian Schmaus <flow@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Proposal to undeprecate EGO_SUM
Date: Wed, 28 Sep 2022 17:28:00 +0200 [thread overview]
Message-ID: <cfec3189-42db-be60-87e5-c7a5415ddecf@gentoo.org> (raw)
In-Reply-To: <20220613074411.341909-1-flow@gentoo.org>
I would like to continue discussing whether we should entirely deprecate
EGO_SUM without the desire to offend anyone.
We now have a pending GitHub PR that bumps restic to 0.14 [1]. Restic is
a very popular backup software written in Go. The PR drops EGO_SUM in
favor of a vendor tarball created by the proxied maintainer. However, I
am unaware of any tool that lets you practically audit the 35 MiB source
contained in the tarball. And even if such a tool exists, this would
mean another manual step is required, which is, potentially, skipped
most of the time, weakening our user's security. This is because I
believe neither our tooling, e.g., go-mod.eclass, nor any Golang
tooling, does authenticate the contents of the vendor tarball against
upstream's go.sum. But please correct me if I am wrong.
I wonder if we can reach consensus around un-depreacting EGO_SUM, but
discouraging its usage in certain situations. That is, provide EGO_SUM
as option but disallow its use if
1.) *upstream* provides a vendor tarball
2.) the number of EGO_SUM entries exceeds 1000 and a Gentoo developer
maintains the package
3.) the number of EGO_SUM entries exceeds 1500 and a proxied maintainer
maintains the package
In case of 3, I would encourage proxy maintainers to create and provide
the vendor tarball.
The suggested EGO_SUM limits result from a histogram that I created
analyzing ::gentoo at 2022-01-01, i.e., a few months before EGO_SUM was
deprecated.
- Flow
1: https://github.com/gentoo/gentoo/pull/27050
next prev parent reply other threads:[~2022-09-28 15:28 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 7:44 [gentoo-dev] Proposal to undeprecate EGO_SUM Florian Schmaus
2022-06-13 7:44 ` [gentoo-dev] [PATCH] go-module.eclass: " Florian Schmaus
2022-06-13 9:49 ` Andrew Ammerlaan
2022-06-13 10:25 ` Florian Schmaus
2022-06-17 15:53 ` William Hubbs
2022-06-13 8:29 ` [gentoo-dev] Proposal to " Michał Górny
2022-06-13 8:49 ` Ulrich Mueller
2022-06-13 9:34 ` Florian Schmaus
2022-06-13 10:26 ` Ulrich Mueller
2022-06-17 16:27 ` William Hubbs
2022-10-12 13:01 ` Florian Schmaus
2022-06-13 9:30 ` Florian Schmaus
2022-06-13 11:03 ` Michał Górny
2022-06-14 9:37 ` Michał Górny
2022-06-14 10:29 ` Florian Schmaus
2022-06-14 16:33 ` [gentoo-dev] " Holger Hoffstätte
2022-06-14 17:03 ` Florian Schmaus
2022-06-15 5:53 ` Michał Górny
2022-06-17 19:04 ` Michał Górny
2022-06-14 17:34 ` [gentoo-dev] " Arsen Arsenović
2022-06-26 23:43 ` Zoltan Puskas
2022-06-27 6:09 ` Oskari Pirhonen
2022-06-27 7:14 ` Zoltan Puskas
2022-07-15 21:34 ` William Hubbs
2022-07-16 11:24 ` Florian Schmaus
2022-07-16 11:58 ` Joonas Niilola
2022-07-16 17:51 ` William Hubbs
2022-07-16 18:31 ` Arthur Zamarin
2022-07-16 18:46 ` Robin H. Johnson
2022-07-16 19:35 ` William Hubbs
2022-07-16 20:20 ` Ulrich Mueller
2022-07-17 1:37 ` William Hubbs
2022-09-28 15:28 ` Florian Schmaus [this message]
2022-09-28 16:31 ` Ulrich Mueller
2022-09-30 0:36 ` William Hubbs
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:48 ` William Hubbs
2022-09-30 19:18 ` Sam James
2022-10-11 10:06 ` [gentoo-dev] RFC: check A's size in go-module.eclass Florian Schmaus
2022-10-11 10:06 ` [gentoo-dev] [PATCH] go-module.eclass: ensure that A is less than 112 KiB Florian Schmaus
2022-10-11 15:26 ` Mike Gilbert
2022-10-11 15:58 ` Florian Schmaus
2022-10-11 15:33 ` [gentoo-dev] RFC: check A's size in go-module.eclass Mike Gilbert
2022-09-30 19:49 ` [gentoo-dev] Proposal to undeprecate EGO_SUM Alec Warner
2022-10-01 0:06 ` William Hubbs
2022-10-01 13:42 ` Florian Schmaus
2022-10-01 16:36 ` Ulrich Mueller
2022-10-01 17:21 ` Florian Schmaus
2022-10-01 20:59 ` William Hubbs
2022-09-30 20:07 ` Arsen Arsenović
2022-09-30 23:49 ` William Hubbs
2022-09-28 21:23 ` John Helmert III
2022-09-30 13:57 ` Florian Schmaus
2022-09-30 14:36 ` Jaco Kroon
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:10 ` Jaco Kroon
2022-09-30 15:32 ` Zoltan Puskas
2022-09-30 19:02 ` Georgy Yakovlev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfec3189-42db-be60-87e5-c7a5415ddecf@gentoo.org \
--to=flow@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox