OK so yes I know overlays in the wild can be disastrous. Reading the devmanual while parsing through various ebuilds both portage and in the wild, does make for some interesting reading:: ymmv.
I'm not sure my overlay (kung_fu) is complete. 'layman -L' lists reasonably qualified overlay sites; but you have to add them to search out their content directly. 'eix -R <keywordname> ' will search far and wide for a given overlay; like the distributed database 'cassandra. Some googling suggest that zugaina contains a master list of overlays? (not sure how true this is). I'm not sure if 'eix -R' or 'browsing zugaina' provides the widest possible list of (mostly safe) overlay sites. Last, googling for the name + ebuild or overlay can find packages, but if the archive (git etc) is not listed with a layman -L:: be very cautious.... audit the details of the overlay. Specifically, on dev-db/cassandara I find 2.1.3 and 2.12 ([5] "spike-community-overlay" layman/spike-community-overlay) but the cassandra.apache.org site shows 2.1.8 and 2.20 as the stable and testing downloads currently available. So is it safe to use the "spike-community" overlay as a basis to update the cassandra ebuild I have available? In general, is there a list (even a private list) of know good/bad actors on these overlay sites? Any further tidbits on searching out and qualifying overlays (yes I know only a full code audit is actually safe) that folks use or would suggest would be keen. I did see some gentoo wiki pages on the subject but they seem terse or dated. curiously, James