From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5EDA6158094 for ; Wed, 28 Sep 2022 15:28:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4EA9EE0831; Wed, 28 Sep 2022 15:28:06 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1A106E0824 for ; Wed, 28 Sep 2022 15:28:06 +0000 (UTC) Message-ID: Date: Wed, 28 Sep 2022 17:28:00 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Subject: Re: [gentoo-dev] Proposal to undeprecate EGO_SUM Content-Language: en-US To: gentoo-dev@lists.gentoo.org References: <20220613074411.341909-1-flow@gentoo.org> From: Florian Schmaus In-Reply-To: <20220613074411.341909-1-flow@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 36882caa-989f-4ed6-8d10-0f33da23d25b X-Archives-Hash: 1cb152f339d763c3bcf2cb4a35d0f45c I would like to continue discussing whether we should entirely deprecate EGO_SUM without the desire to offend anyone. We now have a pending GitHub PR that bumps restic to 0.14 [1]. Restic is a very popular backup software written in Go. The PR drops EGO_SUM in favor of a vendor tarball created by the proxied maintainer. However, I am unaware of any tool that lets you practically audit the 35 MiB source contained in the tarball. And even if such a tool exists, this would mean another manual step is required, which is, potentially, skipped most of the time, weakening our user's security. This is because I believe neither our tooling, e.g., go-mod.eclass, nor any Golang tooling, does authenticate the contents of the vendor tarball against upstream's go.sum. But please correct me if I am wrong. I wonder if we can reach consensus around un-depreacting EGO_SUM, but discouraging its usage in certain situations. That is, provide EGO_SUM as option but disallow its use if 1.) *upstream* provides a vendor tarball 2.) the number of EGO_SUM entries exceeds 1000 and a Gentoo developer maintains the package 3.) the number of EGO_SUM entries exceeds 1500 and a proxied maintainer maintains the package In case of 3, I would encourage proxy maintainers to create and provide the vendor tarball. The suggested EGO_SUM limits result from a histogram that I created analyzing ::gentoo at 2022-01-01, i.e., a few months before EGO_SUM was deprecated. - Flow 1: https://github.com/gentoo/gentoo/pull/27050