From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-97472-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 779BD158091
	for <garchives@archives.gentoo.org>; Thu,  9 Jun 2022 17:49:20 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7D699E0869;
	Thu,  9 Jun 2022 17:49:15 +0000 (UTC)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C7079E085B
	for <gentoo-dev@lists.gentoo.org>; Thu,  9 Jun 2022 17:49:14 +0000 (UTC)
Received: from [89.12.19.17] (helo=[192.168.178.31])
	by smtprelay03.ispgateway.de with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <sping@gentoo.org>)
	id 1nzMHd-0003oJ-VY
	for gentoo-dev@lists.gentoo.org; Thu, 09 Jun 2022 19:49:26 +0200
Message-ID: <a4602df9-e97c-3b3b-ce1e-e936cc1dfce7@gentoo.org>
Date: Thu, 9 Jun 2022 19:49:04 +0200
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.0
Subject: Re: [gentoo-dev] About EGO_SUM
Content-Language: en-US
To: gentoo-dev@lists.gentoo.org
References: <9d4adb56-34be-7058-3979-2c99178251dd@gentoo.org>
 <robbat2-20220608T184338-394361540Z@orbis-terrarum.net>
From: Sebastian Pipping <sping@gentoo.org>
In-Reply-To: <robbat2-20220608T184338-394361540Z@orbis-terrarum.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Df-Sender: c3BpbmctZ2VudG9vQGJpbmVyYS5kZQ==
X-Archives-Salt: b24634f8-c6af-4cfa-b13c-548a4056fa05
X-Archives-Hash: d853822d377e968fefaed384ad5b43ec

On 08.06.22 22:42, Robin H. Johnson wrote:
> EGO_SUM vs dependency tarballs:
> [..]
> - EGO_SUM is verifiable/reproducible from Upstream Go systems

Let's be explicit, there is a _security_ threat here: as a user of an
ebuild, dependency tarballs now take effort in manual review just to
confirm that the content full matches its supposed list of ingredients.
They are the perfect place to hide malicious code in plain sight.  Now
with dependency tarballs, there is a new layer that by design will
likely be chronically under-audited.  It gives me shivers, frankly.
Previously with a manifest and upstream-only URLs, only upstream can add
malicious code, not downstream in Gentoo.

Best



Sebastian