From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DD0AB15806E for ; Fri, 2 Jun 2023 07:14:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 49170E08DC; Fri, 2 Jun 2023 07:14:06 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CC375E08CA for ; Fri, 2 Jun 2023 07:14:05 +0000 (UTC) Message-ID: Date: Fri, 2 Jun 2023 10:13:55 +0300 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [gentoo-dev] EGO_SUM Content-Language: en-US To: gentoo-dev@lists.gentoo.org, williamh@gentoo.org References: <49ce8700-6c96-9360-51cf-2a989f666752@gentoo.org> From: Joonas Niilola In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------aduFB7D0s2x3KHOxBdOzsiTc" X-Archives-Salt: 0a65f61f-cf6f-43a0-b291-3e41ada56c60 X-Archives-Hash: 03b932c4a042deb5b3427e65e8946988 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------aduFB7D0s2x3KHOxBdOzsiTc Content-Type: multipart/mixed; boundary="------------ezMbfUCzbFt2MNFkID2bSPvG"; protected-headers="v1" From: Joonas Niilola To: gentoo-dev@lists.gentoo.org, williamh@gentoo.org Message-ID: Subject: Re: [gentoo-dev] EGO_SUM References: <49ce8700-6c96-9360-51cf-2a989f666752@gentoo.org> In-Reply-To: --------------ezMbfUCzbFt2MNFkID2bSPvG Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 1.6.2023 22.55, William Hubbs wrote: >> >> The EGO_SUM alternatives >> - do not have the same level of trust and therefore have a negative=20 >> impact on security (a dubious tarball someone put somewhere, especiall= y=20 >> when proxy-maint) >=20 > For this, I would argue that vetting the tarball falls to the developer= > who is proxying. If you don't trust the proxy maintainer you > are pushing for, it is easy to make a dependency tarball yourself and > add it to your dev space. >=20 >=20 >> - require additional effort when developing ebuilds >=20 > This "additional effort" is pretty subjective. Making a dependency tarb= all > isn't a lot of work, especially with the script that I posted in this t= hread. >=20 In theory it's "easy", but in practice how'd you work? This would be fine when a single developer is proxying a single maintainer, but when a a stack of devs (project) are proxying hundreds of different people, it becomes messy and unsustainable rather fast. I do want to point out that any proxied maintainer can and should upload the vendor tarballs to their own Github / Gitlab distfile-repos for the time being, but allowing EGO_SUM to be used again would be the easiest solution here in my opinion for everyone involved. I'm aware it's pushed back due to technicalities. -- juippis --------------ezMbfUCzbFt2MNFkID2bSPvG-- --------------aduFB7D0s2x3KHOxBdOzsiTc Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEltRJ9L6XRmDQCngHc4OUK43AaWIFAmR5lrNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk2 RDQ0OUY0QkU5NzQ2NjBEMDBBNzgwNzczODM5NDJCOERDMDY5NjIACgkQc4OUK43A aWKI0Qf/Qq+BZUm8/ggPQLP+PHFFz0/IFE3rqKjDOiX1TUbMouRw43OEtq9wTK28 omWZ/TmiNC1yizJyuzZUk1tMHpAR+JgvtoUm408jqkCBTkfKK9w1ChXpyjDQqyVc gREQneQytJQHn4yX5zjq7IEphxaFSj8j283VtPpGibh5EmUJNUtigkTira6fEvKe c8z62sR+jsycLR+VuCnAsHj3OWb2IERI4kENLhjySCoZwr2cnAI3QV6wqVReKB/r cJa77CUCN0j8ZJoXEydPtFLwUvOG3WBuZI1e3NA36+PtFs7deO2EN3zO0Mttea+Q Ok29QTvxnO3g4c4f383f8urP/pJZ6g== =XhQj -----END PGP SIGNATURE----- --------------aduFB7D0s2x3KHOxBdOzsiTc--