Re: [gentoo-dev] cdrom.eclass vs KEYWORDS

[Mike Gilbert <floppym@gentoo.org>]

On Wed, Sep 25, 2019 at 4:14 PM Michał Górny <mgorny@gentoo.org> wrote:
>
> Hi,
>
> I'm wondering if we're doing the right things by adding KEYWORDS to
> packages using cdrom.eclass.  After all, it's somewhat similar to live
> ebuilds.  That is, data is fetched outside regular PM mechanisms (though
> not implicitly through Internet, arguably) and it is not covered by any
> checksums.
>
> This creates a somewhat gaping security hole to anyone using those
> packages.  After all, the ebuilds are going to happily install any
> malware you might have on that CD without even thinking twice about it.
> In fact, with construction of many ebuilds it is entirely plausible that
> additional unexpected files may end up being installed.

The eclass seems to be used exclusively by games (with one exception),
which are probably full of unreported security problems anyway.

> To be honest, I don't think this is a problem that could be fixed.
> Technically, we could add some kind of, say, b2sum lists to ebuilds
> and verify installed files against them.  However, the way I understand
> we frequently aim to support different releases of the same product,
> that may have wildly differing checksums.
>
> So maybe the most obvious solution would be to remove KEYWORDS from
> ebuilds unconditionally using cdrom.eclass (and their reverse
> dependencies), and mask USE=cdinstall on the rest.
>
> WDYT?

Move them to an overlay.