[gentoo-dev] cdrom.eclass vs KEYWORDS

["Michał Górny" <mgorny@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1211 bytes --]

Hi,

I'm wondering if we're doing the right things by adding KEYWORDS to
packages using cdrom.eclass.  After all, it's somewhat similar to live
ebuilds.  That is, data is fetched outside regular PM mechanisms (though
not implicitly through Internet, arguably) and it is not covered by any
checksums.

This creates a somewhat gaping security hole to anyone using those
packages.  After all, the ebuilds are going to happily install any
malware you might have on that CD without even thinking twice about it. 
In fact, with construction of many ebuilds it is entirely plausible that
additional unexpected files may end up being installed.

To be honest, I don't think this is a problem that could be fixed. 
Technically, we could add some kind of, say, b2sum lists to ebuilds
and verify installed files against them.  However, the way I understand
we frequently aim to support different releases of the same product,
that may have wildly differing checksums.

So maybe the most obvious solution would be to remove KEYWORDS from
ebuilds unconditionally using cdrom.eclass (and their reverse
dependencies), and mask USE=cdinstall on the rest.

WDYT?

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]