Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 150121

Summary: portage should require that all files in $FILESDIR be in the Manifest
Product: Portage Development Reporter: Timothy Redaelli (RETIRED) <drizzt>
Component: UnclassifiedAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: major CC: jakub
Priority: High Keywords: InVCS
Version: 2.1   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 147007    

Description Timothy Redaelli (RETIRED) gentoo-dev 2006-10-04 15:41:04 UTC 
Hi,
you can put any patches to a dir pointed by epatch (EPATCH_SOURCE) and portage doesn't check for digest in Manifest.

Example:

archer ~ # touch /usr/portage/app-doc/doxygen/files/1.4.7/02_all_hack.patch ; emerge doxygen
Calculating dependencies... done!

>>> Emerging (1 of 1) app-doc/doxygen-1.4.7 to /
 * doxygen-1.4.7.src.tar.gz MD5 ;-) ...                                                                                 [ ok ]
 * doxygen-1.4.7.src.tar.gz RMD160 ;-) ...                                                                              [ ok ]
 * doxygen-1.4.7.src.tar.gz SHA1 ;-) ...                                                                                [ ok ]
 * doxygen-1.4.7.src.tar.gz SHA256 ;-) ...                                                                              [ ok ]
 * doxygen-1.4.7.src.tar.gz size ;-) ...                                                                                [ ok ]
 * checking ebuild checksums ;-) ...                                                                                    [ ok ]
 * checking auxfile checksums ;-) ...                                                                                   [ ok ]
 * checking miscfile checksums ;-) ...                                                                                  [ ok ]
 * checking doxygen-1.4.7.src.tar.gz ;-) ...                                                                            [ ok ]
>>> Unpacking source...
>>> Unpacking doxygen-1.4.7.src.tar.gz to /var/tmp/portage/doxygen-1.4.7/work
 * Applying various patches (bugfixes/updates) ...
 *   01_all_cp1251.patch ...                                                                                            [ ok ]
 *   02_all_hack.patch ...                                                                                              [ ok ]
 *   05_all_system-libpng.patch ...                                                                                     [ ok ]
 *   06_all_qtools.patch ...                                                                                            [ ok ]
 * Done with patching
>>> Source unpacked.
>>> Compiling source in /var/tmp/portage/doxygen-1.4.7/work/doxygen-1.4.7 ...
<cut>

You can put any patches here, not only blank file
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-10-04 23:45:25 UTC 
1/ epatch doesn't check any digests, it's an eutils.eclass wrapper around patch and it's none of its business to do anything about digests.

2/ PORTDIR is only writeable by root, at which point you are already doomed if someone else gained root privs, fail to see your point here???
Comment 2 Zac Medico gentoo-dev 2006-10-05 00:23:21 UTC 
The file would be listed in the Manifest and checked if it had been official.  Our official ebuilds won't go looking for files that aren't listed in the Manifest.
Comment 3 Zac Medico gentoo-dev 2006-10-05 02:49:44 UTC 
I didn't realize that epatch would just grab all the files in a directory like that.  Anyway, only privileged users should have write permission in $FILESDIR, normally.  That leaves you open to attack from a compromised mirror, but you can't protect yourself from that unless we implement checking of gpg signatures on signed manifests.
Comment 4 Timothy Redaelli (RETIRED) gentoo-dev 2006-10-05 03:26:28 UTC 
(In reply to comment #3)
Yes sorry it's my fault, i need to be more clear the next time (thanks exg)
Comment 5 Zac Medico gentoo-dev 2006-10-10 23:57:30 UTC 
This is fixed in svn r4655.
Comment 6 Zac Medico gentoo-dev 2006-10-11 20:25:37 UTC 
This has been released in 2.1.2_pre2-r9.