From: William Hubbs <williamh@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] EGO_SUM
Date: Fri, 2 Jun 2023 13:06:53 -0500 [thread overview]
Message-ID: <ZHovvarbZ6a1GGNm@linux1.home> (raw)
In-Reply-To: <d8120074-b65c-347d-366c-1fdb0774fc04@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 2087 bytes --]
On Fri, Jun 02, 2023 at 10:13:55AM +0300, Joonas Niilola wrote:
> On 1.6.2023 22.55, William Hubbs wrote:
> >>
> >> The EGO_SUM alternatives
> >> - do not have the same level of trust and therefore have a negative
> >> impact on security (a dubious tarball someone put somewhere, especially
> >> when proxy-maint)
> >
> > For this, I would argue that vetting the tarball falls to the developer
> > who is proxying. If you don't trust the proxy maintainer you
> > are pushing for, it is easy to make a dependency tarball yourself and
> > add it to your dev space.
> >
> >
> >> - require additional effort when developing ebuilds
> >
> > This "additional effort" is pretty subjective. Making a dependency tarball
> > isn't a lot of work, especially with the script that I posted in this thread.
> >
>
> In theory it's "easy", but in practice how'd you work? This would be
> fine when a single developer is proxying a single maintainer, but when a
> a stack of devs (project) are proxying hundreds of different people, it
> becomes messy and unsustainable rather fast.
This comment is completely off topic for this thread, so start another
thread for it if you want, but if hundreds of people are being proxied
by proxy-maint, that seems to be a concern unrelated to this. It seems
the fix for that is to advocate for some of these hundreds of people to
become developers so they don't have to be proxied any more.
> I do want to point out that any proxied maintainer can and should upload
> the vendor tarballs to their own Github / Gitlab distfile-repos for the
> time being, but allowing EGO_SUM to be used again would be the easiest
> solution here in my opinion for everyone involved. I'm aware it's pushed
> back due to technicalities.
Like I said at another point in the thread, I want to get rid of EGO_SUM
by moving most of the processing for it out of the eclass. I'm looking
into that now. This will still run into the same problem as EGO_SUM if
$A is still exported, but it should speed up ebuild processing.
William
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
next prev parent reply other threads:[~2023-06-02 18:07 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-17 7:37 [gentoo-dev] EGO_SUM Florian Schmaus
2023-04-17 9:28 ` [gentoo-dev] EGO_SUM Anna (cybertailor) Vyalkova
2023-04-27 18:00 ` William Hubbs
2023-04-27 18:18 ` David Seifert
2023-04-24 16:11 ` Florian Schmaus
2023-04-24 20:28 ` Sam James
2023-04-24 22:52 ` Alexey Zapparov
2023-04-26 15:31 ` Florian Schmaus
2023-04-26 16:12 ` Matt Turner
2023-04-26 19:31 ` Andrew Ammerlaan
2023-04-26 19:38 ` Chris Pritchard
2023-04-26 20:47 ` Matt Turner
2023-04-27 7:58 ` Florian Schmaus
2023-04-27 9:24 ` Ulrich Mueller
2023-04-28 6:59 ` Florian Schmaus
2023-04-27 12:54 ` Michał Górny
2023-04-27 23:12 ` Pascal Jäger
2023-04-28 0:38 ` Sam James
2023-04-28 4:27 ` Michał Górny
2023-04-28 5:31 ` Sam James
2023-04-28 6:59 ` Florian Schmaus
2023-04-28 14:34 ` Michał Górny
2023-05-02 19:32 ` Florian Schmaus
2023-05-02 19:38 ` Sam James
2023-04-29 22:34 ` Robin H. Johnson
2023-04-27 21:16 ` Sam James
2023-05-02 19:32 ` Florian Schmaus
2023-05-02 19:45 ` Sam James
2023-05-08 7:53 ` Florian Schmaus
2023-05-08 12:03 ` Michał Górny
2023-05-22 7:14 ` Florian Schmaus
2023-05-02 20:04 ` Matt Turner
2023-05-08 7:53 ` Florian Schmaus
2023-04-26 20:51 ` Sam James
2023-05-30 15:52 ` Florian Schmaus
2023-05-30 16:30 ` Anna (cybertailor) Vyalkova
2023-05-31 5:02 ` Oskari Pirhonen
2023-05-30 16:35 ` Arthur Zamarin
2023-05-31 6:20 ` Andrew Ammerlaan
2023-05-31 8:40 ` Ryan Qian
2023-05-31 9:06 ` Arsen Arsenović
2023-05-31 6:30 ` pascal.jaeger leimstift.de
2023-06-01 4:00 ` William Hubbs
2023-06-02 8:17 ` Florian Schmaus
2023-06-02 8:31 ` Michał Górny
2023-06-09 10:07 ` Florian Schmaus
2023-06-01 19:55 ` [gentoo-dev] EGO_SUM William Hubbs
2023-06-02 7:13 ` Joonas Niilola
2023-06-02 18:06 ` William Hubbs [this message]
2023-06-02 18:42 ` Joonas Niilola
2023-06-09 10:07 ` Florian Schmaus
[not found] <2ZKWN4KF.MKEFFMWE.LGPKYP47@RTL7EJXF.RN4PF6UF.MDFBGF3C>
[not found] ` <be450641-94ff-a0d9-51da-3a7a3abcc6c7@gentoo.org>
[not found] ` <b7309a3f-2980-b390-a16a-0518cce1da75@gentoo.org>
[not found] ` <87y1k33aoy.fsf@gentoo.org>
2023-06-30 8:15 ` [gentoo-dev] EGO_SUM (was: [gentoo-project] Gentoo Council Election 202306 ... Nominations Open in Just Over 24 Hours.) Florian Schmaus
2023-06-30 8:22 ` Sam James
2023-07-03 10:17 ` Florian Schmaus
2023-07-03 11:12 ` [gentoo-dev] EGO_SUM Ulrich Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZHovvarbZ6a1GGNm@linux1.home \
--to=williamh@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox