Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 139023 - Make emerge --digest harder to use
Summary: Make emerge --digest harder to use
Status: RESOLVED WONTFIX
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Interface (emerge) (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks:
 
Reported: 2006-07-03 08:57 UTC by UncleOwen
Modified: 2008-03-19 06:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description UncleOwen 2006-07-03 08:57:01 UTC 
There have been some broken digests lately. While this is certainly not a good thing, it happens. Usually, it's fixed within a day (if not hours) after the bug report.

The problem I see is: Most users don't report their problem on bugzilla; they go to the forums. There, some other user tells them to run emerge --digest. While this "fixes" the immediate problem, this is definitely not what we want, because:

a) The problem will not get fixed as fast as it should be.
b) (much more serious IMHO) This establishes a pattern of thinking. In case there IS a break-in into Gentoo infrastructure, and this is caught by the digest mechanism[1], users will just type emerge --digest - and install compromised software.

That's why I propose to make it harder to use emerge --digest. To not make it harder on devs/ebuild writers, I propose something similar to what gcc-4.0/1 used: An environment variable (e.g. I_KNOW_WHAT_DIGESTS_ARE_FOR_AND_WILL_REPORT_ANY_BROKEN_DIGESTS_ON_BUGZILLA) that has to be set to 1. Otherwise emerge should refuse to recreate digest, and tell the user about how to enable this feature. Hopefully, the name should be enough to scare unknowing users away.

[1] Yes, I know, that the current system is not perfect. But maybe it will get there someday.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2008-02-17 22:31:47 UTC 
(In reply to comment #0)
> I_KNOW_WHAT_DIGESTS_ARE_FOR_AND_WILL_REPORT_ANY_BROKEN_DIGESTS_ON_BUGZILLA)
> that has to be set to 1. Otherwise emerge should refuse to recreate digest, and
> tell the user about how to enable this feature. Hopefully, the name should be
> enough to scare unknowing users away.

Nice, that will only upset about every single ebuild developer out there, closing.
Comment 2 Zac Medico gentoo-dev 2008-02-18 00:40:04 UTC 
I think what we should really do is advise the user that `repoman manifest` is the preferred way to generate manifests. If necessary, it can be used to do an entire repository at once.
Comment 3 Zac Medico gentoo-dev 2008-03-19 06:14:52 UTC 
In svn r9482 it's fixed to show a warning message like this:

 * The --digest option can prevent corruption from being noticed. The
 * `repoman manifest` command is the preferred way to generate manifests
 * and it is capable of doing an entire repository or category at once.