On Thu, 2010-01-07 at 16:40 -0800, Mark Knecht wrote:
> 2) The idea of end-users installing ebuilds themselves from an unknown
> individual delivered through an email list is about as insane as it
> could be. Just what I need is an untested ebuild that I install and
> build myself stealing everything on my system.
"Note that if I can get you to "su and say" something just by asking,
you have a very serious security problem on your system and you should
look into it."
-- Paul Vixie, vixie-cron 3.0.1 installation notes
the problem there would be with the end-user, not malicious-Ronan, IMHO
> As a user and someone who cares about Gentoo I'd like to see ALL
> ebuilds banned from this list.
Negatory Ghost Rider! Ban ebuild attachments, then someone says
"install this ebuild I wrote from http://root.kit.org/die.ebuild ..."
then what? Ban links too?
Gentoo is about learning (and lots of other stuff too) so if it takes
your system to crash before you learn not to run untrusted executables,
then that's what it takes. I have pretty darn good and regular backups,
but only because I once fsck'd my filesystem without them, and I know
how much of a pain that is.
> Only takes one bad seed and one
> not-very knowledgeable user like me to give the distro a black eye it
> doesn't deserve.
You know enough not to try it though. It's also easy for someone to
reply with a BIG FAT WARNING stating as much to others. I think this
distro has enough bruises that it's toughened up a bit :) Any by the
stage a user can make an overlay, manifest, etc. I think they know a
little bit already.
> Yeah, I'm paranoid...
It's ok to be paranoid, they really _are_ out to get you ;)
But seriously: warn people, sure. Learn about security & ebuilds, sure.
Ban them? Not such a good idea IMHO :)
> Cheers,
> Mark
catchya,
--
Iain Buchanan <iaindb at netspace dot net dot au>
Ralph's Observation:
It is a mistake to let any mechanical object realise that you
are in a hurry.
