Alec Warner wrote:
This is to prevent people from sticking a random unchecksum'd ebuild in
your tree and then having portage source it for depend() metadata and
then getting bitten by some global scope nasties.
Is this really the correct solution to this "problem"?
I can't see the use case: do people really download (potentially
malicious) ebuilds, stick them in their overlay, and then *not* use them?
Somehow I don't think that's true - people will generally download
ebuilds, and use them (even if they fail during compilation, they will
have been used in some form).
If you start requiring people to create Manifests for these ebuilds,
they will do so, and this has not changed the security implications of
these "untrusted" ebuilds.
Am I missing something?
Daniel
--
gentoo-dev@gentoo.org mailing list
