Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 585712

Summary: [TRACKER] Live/VCS eclasses used for keyworded release ebuilds
Product: Quality Assurance Reporter: Michał Górny <mgorny>
Component: TrackersAssignee: Gentoo Quality Assurance Team <qa>
Status: RESOLVED FIXED    
Severity: QA Keywords: Tracker
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 585714, 585716, 585718, 585720, 585722, 585726, 585728    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-06-12 17:02:32 UTC 
This one's for all cases when a live/VCS eclass is being used to fetch sources for a release/keyworded ebuild instead of a snapshot fetched via SRC_URI.

Basic rationale:

- VCS eclasses don't provide strong cryptographic checks like distfiles do,

- VCS resources are less network- and space-efficient, and usually are not mirrored locally when distfiles are,

- distfile fetching is less likely to be problematic on networks with traffic restrictions.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-14 06:20:06 UTC 
pkgcheck's had this fatal for quite a while and no instances in tree (and CI forbids it as a result of pkgcheck).

A very, very long time in fact, but obviously wasn't used for CI back then: https://github.com/pkgcore/pkgcheck/commit/592033724ef75017d88e045c6b410d125c73d3da.