From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-88580-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B2D54138334
	for <garchives@archives.gentoo.org>; Mon, 16 Sep 2019 07:55:09 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 04F22E095F;
	Mon, 16 Sep 2019 07:55:06 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B74B4E0948
	for <gentoo-dev@lists.gentoo.org>; Mon, 16 Sep 2019 07:55:05 +0000 (UTC)
Received: from katipo2.lan (unknown [203.86.205.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: kentnl)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 5CBE134AE48
	for <gentoo-dev@lists.gentoo.org>; Mon, 16 Sep 2019 07:55:04 +0000 (UTC)
Date: Mon, 16 Sep 2019 19:54:55 +1200
From: Kent Fredric <kentnl@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH 3/3] dev-vcs/hub: migrate to
 go-module.eclass
Message-ID: <20190916195455.13eb6fad@katipo2.lan>
In-Reply-To: <2b8d7f00-fdf9-e879-5035-cc00b9c2b551@gentoo.org>
References: <20190911172128.18885-1-williamh@gentoo.org>
	<20190911172128.18885-4-williamh@gentoo.org>
	<f7b0d6ce-4bad-0daf-4e62-ac941f573bf4@gentoo.org>
	<CAAr7Pr8_VhHsPvNvwUMVh-jX7z+7uOQBPNjx_FbBocRzh9brcQ@mail.gmail.com>
	<20190911234815.GA21591@whubbs1.dev.av1.gaikai.org>
	<CAAr7Pr-WK2VcB+CJAY8HXTK7kyXqf4KnCb+DSe+CwsmoEAbFjQ@mail.gmail.com>
	<20190912154634.GB23846@whubbs1.dev.av1.gaikai.org>
	<88094567-323c-6f6a-a1d9-0c1b77ef53e3@gentoo.org>
	<CAAr7Pr8v_fr_yS9y6Y19X5FJqqDT0mc09jAJ8szx0WNXOiC-KQ@mail.gmail.com>
	<6acd490e-6393-62e4-5d07-71c2a3624417@gentoo.org>
	<CAAr7Pr_rhCAr1daJdG8rxggRk1W_C-6+B+gjRFb6iyr69YGOtA@mail.gmail.com>
	<98f7c838-6562-1214-c883-ec4cdbd45d4e@gentoo.org>
	<20190913211930.088d5513@katipo2.lan>
	<74ae34f0-75c5-2416-a09f-9551f18ef321@gentoo.org>
	<20190913131743.11a1d990@patrickm.gaikai.org>
	<2b8d7f00-fdf9-e879-5035-cc00b9c2b551@gentoo.org>
Organization: Gentoo
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="Sig_/NCZylsQ7jYBsNGnNC6KBhGH";
 protocol="application/pgp-signature"; micalg=pgp-sha256
X-Archives-Salt: 4965398b-2380-4367-887f-ca3deee4b08a
X-Archives-Hash: 8e3ad017cbcdca0cbc2d8a9f02d90174

--Sig_/NCZylsQ7jYBsNGnNC6KBhGH
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Fri, 13 Sep 2019 19:44:55 -0400
Michael Orlitzky <mjo@gentoo.org> wrote:

>  They silently get something less than
> they're expecting. We would be better off telling people to run "go
> whatever" themselves, or by putting this stuff in an overlay where
> expectations are clearly defined.

That suggestion actually decreases security.

Especially if the package in question is intended to be run as root.

At least with using portage, you can side-step the nonsense of "and
here's how you install this in /usr/bin .... curl url | sudo bash - "

And additionally, we get a sandbox and all the features of file
ownership tracking.

And if there is a complaint about the package misbehaving, a bug can be
filed in a common location, and a gentoo dev can actually fix the
problem, even if upstream have moved on to greener pastures. ( This is
the sad state of a lot of older perl stuff these days, they simply
don't work vanilla any more, and gentoo are putting the patches in to
keep it working )

So in summary, Portage does a lot more for the end user than "ensure
dynamic linking works".




--Sig_/NCZylsQ7jYBsNGnNC6KBhGH
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgdrME8Lrmai3DXYJda6SGagVg7UFAl1/P88ACgkQda6SGagV
g7Vnig/8Dl6nh5qi5vOxIFnr/oseI6fEUafts3COLpWmDWiFU7X41wHkFRcof6oO
nD+q9O9gfazouX7NBgUVJG/7DWc3NOqdaP9YCwVIPV2ivPuhDuKj9vtjy1wAT60T
EK6Hu7FGGmE+SSN1TTMdC0tlwViUEutHGJH3QSKpKx9leVW9+XnG6FdwQbXV3TSw
dZa4TT+jrA1Oc2nWIic1nsw20bFFPJ9MJzPd7LHWpso56QENMU/ow4i12hkD2Fwg
Z+mu/7wal7fmhzXIfUYINfmELt7UgXRy2TL4kb8Gezahf5Ta5YagZ4tc5QlmmhM6
A6CuRjpzjGss/35VfC8sqT2QyvwoaoixseG7zR3b8sRUK5PeJ/AKUvfo1vbukL8a
Ay0otWIA9KQ6zK9JX0aD6/MFdVxWOET1lJgm3dyOYsxwYhk0aUxNlYw0pCwOZxmX
AEB8vj941J60/knXO5hKpWuf2EOjoNPuX6/uSaQvzAcgcUi85cHB0z46aNyRuWOp
73WLzXMdPYyv9WercVD9C9sU9opGkUjK7c+sxiXerbGH0QNejywjR2XPp2pn1caV
K5pCtcpCx0aEs+Uxm2Dkqn0MhjfTQDnFeRwJzFb+uVp79rGzPF2HTNy2UIyqOyMr
CnF9fsb1S4R12J5CknC+fR6rJtNCisxsGc5YW/Xe5aqgKoNWK18=
=2tOy
-----END PGP SIGNATURE-----

--Sig_/NCZylsQ7jYBsNGnNC6KBhGH--