On 6 August 2015 at 09:50, Alan McKinnon <alan.mckin...@gmail.com> wrote:
> On 06/08/2015 03:27, James wrote: > > OK so yes I know overlays in the wild can be disastrous. > > Reading the devmanual while parsing through various ebuilds > > both portage and in the wild, does make for some interesting > > reading:: ymmv. > > > > I'm not sure my overlay (kung_fu) is complete. > > > > > > 'layman -L' lists reasonably qualified overlay sites; but you > > have to add them to search out their content directly. > > > > 'eix -R <keywordname> ' will search far and wide for a given > > overlay; like the distributed database 'cassandra. > > > > Some googling suggest that zugaina contains a master list of overlays? > > (not sure how true this is). > > > > I'm not sure if 'eix -R' or 'browsing zugaina' provides the widest > possible > > list of (mostly safe) overlay sites. > > > > Last, googling for the name + ebuild or overlay can find packages, > > but if the archive (git etc) is not listed with a layman -L:: be > > very cautious.... audit the details of the overlay. > > > > Specifically, on dev-db/cassandara I find 2.1.3 and 2.12 > > ([5] "spike-community-overlay" layman/spike-community-overlay) > > > > but the cassandra.apache.org site shows 2.1.8 and 2.20 as the > > stable and testing downloads currently available. So is it safe > > to use the "spike-community" overlay as a basis to update the cassandra > > ebuild I have available? > > > > In general, is there a list (even a private list) of know good/bad > > actors on these overlay sites? > > > > > > Any further tidbits on searching out and qualifying overlays (yes > > I know only a full code audit is actually safe) that folks use > > or would suggest would be keen. I did see some gentoo wiki pages on the > > subject but they seem terse or dated. > > > To find Joe Random Hacker's overlay and see what's in it, I tend to > browse zugaina. Coverage is decent and most stuff from most folks active > in the Gentoo ecosystem is there. > > If an overlay is not listed on zugaina, these days it tends to be on > github or similar. I usually just do a git checkout and cast my own > eyeballs over the ebuilds. If I'm happy, import into layman (I think > it's -o) with the xml file that should be provided > > Thus far I've had good success. As with everything else in Gentoo it's > buyer beware, and train your eyeballs and brain beforehand. There does > not seem to be an easy shortcuts. > > > -- > Alan McKinnon > alan.mckin...@gmail.com > > > I would concur with Alan. The zugaina site is a very valuable resource. I happen to have an overlay in Layman and I have contacted Ycarus (who runs the zugaina site) when one of my packages wasn't sync'd with Layman. Apparently his site pulls in the overlays on an automated basis (cron job style). It is pretty quick to update/stay in sync though. I tend to look out for "quality" (or lack of) 3rd-party ebuilds by running repoman over them. "Stale Overlays" are pretty easy to spot as well... :-) -- All the best, Robert
