From: Ulrich Mueller <ulm@gentoo.org>
To: Florian Schmaus <flow@gentoo.org>
Cc: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Proposal to undeprecate EGO_SUM
Date: Wed, 28 Sep 2022 18:31:39 +0200 [thread overview]
Message-ID: <usfkb1mvo@gentoo.org> (raw)
In-Reply-To: <cfec3189-42db-be60-87e5-c7a5415ddecf@gentoo.org> (Florian Schmaus's message of "Wed, 28 Sep 2022 17:28:00 +0200")
[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]
>>>>> On Wed, 28 Sep 2022, Florian Schmaus wrote:
> I would like to continue discussing whether we should entirely
> deprecate EGO_SUM without the desire to offend anyone.
> We now have a pending GitHub PR that bumps restic to 0.14 [1]. Restic
> is a very popular backup software written in Go. The PR drops EGO_SUM
> in favor of a vendor tarball created by the proxied maintainer.
> However, I am unaware of any tool that lets you practically audit the
> 35 MiB source contained in the tarball. And even if such a tool
> exists, this would mean another manual step is required, which is,
> potentially, skipped most of the time, weakening our user's security.
> This is because I believe neither our tooling, e.g., go-mod.eclass,
> nor any Golang tooling, does authenticate the contents of the vendor
> tarball against upstream's go.sum. But please correct me if I am
> wrong.
> I wonder if we can reach consensus around un-depreacting EGO_SUM, but
> discouraging its usage in certain situations. That is, provide EGO_SUM
> as option but disallow its use if
> 1.) *upstream* provides a vendor tarball
> 2.) the number of EGO_SUM entries exceeds 1000 and a Gentoo developer
> maintains the package
> 3.) the number of EGO_SUM entries exceeds 1500 and a proxied
> maintainer maintains the package
These numbers seem quite large, compared to the mean number of 3.4
distfiles for packages in the Gentoo repository. (The median and the
99-percentile are 1 and 22, respectively.)
Ulrich
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
next prev parent reply other threads:[~2022-09-28 16:31 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 7:44 [gentoo-dev] Proposal to undeprecate EGO_SUM Florian Schmaus
2022-06-13 7:44 ` [gentoo-dev] [PATCH] go-module.eclass: " Florian Schmaus
2022-06-13 9:49 ` Andrew Ammerlaan
2022-06-13 10:25 ` Florian Schmaus
2022-06-17 15:53 ` William Hubbs
2022-06-13 8:29 ` [gentoo-dev] Proposal to " Michał Górny
2022-06-13 8:49 ` Ulrich Mueller
2022-06-13 9:34 ` Florian Schmaus
2022-06-13 10:26 ` Ulrich Mueller
2022-06-17 16:27 ` William Hubbs
2022-10-12 13:01 ` Florian Schmaus
2022-06-13 9:30 ` Florian Schmaus
2022-06-13 11:03 ` Michał Górny
2022-06-14 9:37 ` Michał Górny
2022-06-14 10:29 ` Florian Schmaus
2022-06-14 16:33 ` [gentoo-dev] " Holger Hoffstätte
2022-06-14 17:03 ` Florian Schmaus
2022-06-15 5:53 ` Michał Górny
2022-06-17 19:04 ` Michał Górny
2022-06-14 17:34 ` [gentoo-dev] " Arsen Arsenović
2022-06-26 23:43 ` Zoltan Puskas
2022-06-27 6:09 ` Oskari Pirhonen
2022-06-27 7:14 ` Zoltan Puskas
2022-07-15 21:34 ` William Hubbs
2022-07-16 11:24 ` Florian Schmaus
2022-07-16 11:58 ` Joonas Niilola
2022-07-16 17:51 ` William Hubbs
2022-07-16 18:31 ` Arthur Zamarin
2022-07-16 18:46 ` Robin H. Johnson
2022-07-16 19:35 ` William Hubbs
2022-07-16 20:20 ` Ulrich Mueller
2022-07-17 1:37 ` William Hubbs
2022-09-28 15:28 ` Florian Schmaus
2022-09-28 16:31 ` Ulrich Mueller [this message]
2022-09-30 0:36 ` William Hubbs
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:48 ` William Hubbs
2022-09-30 19:18 ` Sam James
2022-10-11 10:06 ` [gentoo-dev] RFC: check A's size in go-module.eclass Florian Schmaus
2022-10-11 10:06 ` [gentoo-dev] [PATCH] go-module.eclass: ensure that A is less than 112 KiB Florian Schmaus
2022-10-11 15:26 ` Mike Gilbert
2022-10-11 15:58 ` Florian Schmaus
2022-10-11 15:33 ` [gentoo-dev] RFC: check A's size in go-module.eclass Mike Gilbert
2022-09-30 19:49 ` [gentoo-dev] Proposal to undeprecate EGO_SUM Alec Warner
2022-10-01 0:06 ` William Hubbs
2022-10-01 13:42 ` Florian Schmaus
2022-10-01 16:36 ` Ulrich Mueller
2022-10-01 17:21 ` Florian Schmaus
2022-10-01 20:59 ` William Hubbs
2022-09-30 20:07 ` Arsen Arsenović
2022-09-30 23:49 ` William Hubbs
2022-09-28 21:23 ` John Helmert III
2022-09-30 13:57 ` Florian Schmaus
2022-09-30 14:36 ` Jaco Kroon
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:10 ` Jaco Kroon
2022-09-30 15:32 ` Zoltan Puskas
2022-09-30 19:02 ` Georgy Yakovlev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=usfkb1mvo@gentoo.org \
--to=ulm@gentoo.org \
--cc=flow@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox