Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620992 - app-arch/createrepo removal request
Summary: app-arch/createrepo removal request
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Alon Bar-Lev (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 499328
  Show dependency tree
 
Reported: 2017-06-06 10:56 UTC by Pacho Ramos
Modified: 2017-08-07 16:55 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2017-06-06 10:56:34 UTC 
This is not needed by anything in the tree, but it requires yum, that is completely unmaintained on our side and vulnerable... maybe we could think on treecleaning this :/
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2017-06-06 19:13:18 UTC 
If yum is removed, we can remove this one as well.
However, until then, it is handy to create repo on Gentoo machine.
Comment 2 Sergey Popov gentoo-dev 2017-06-08 00:38:13 UTC 
+1, i use this for maintaining custom CentOS repo on Gentoo host
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-03 20:10:59 UTC 
# Michał Górny <mgorny@gentoo.org> (04 Aug 2017)
# sys-apps/yum is severely outdated (last bump 2013), unmaintained
# since 2010. It has vulnerabilities. Removal in 30 days. Bug #499328.
#
# app-arch/createrepo is the last unmasked dependency. Since it is not
# useful at all without yum, it is being removed as well. Bug #620992.
app-arch/createrepo
sys-apps/yum
Comment 4 Evert 2017-08-04 07:57:37 UTC 
I use app-arch/createrepo on Gentoo for maintaining my CentOS-7 repos.
Please do *not* remove this package (unless a good alternative exists).
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2017-08-04 13:54:38 UTC 
(In reply to Evert from comment #4)
> I use app-arch/createrepo on Gentoo for maintaining my CentOS-7 repos.
> Please do *not* remove this package (unless a good alternative exists).

Yum is one of the dependencies, so sadly, if yum goes away so should this. Sadly, redhat did not release any usable standalone tool.
Comment 6 Evert 2017-08-05 09:49:23 UTC 
Just a quick brainstorm.

You want to get rid of yum on Gentoo because of some Man-in-the-Middle vulnerability.
When both yum and createrepo will be removed, we will no longer be able to maintain custom CentOS repos on Gentoo.

If we want to continue to maintain custom CentOS repos on Gentoo, there are some alternative options:
1. copy both app-arch/createrepo and sys-apps/yum to our local Gentoo repo.
2. rsync custom centos-repo to a CentOS-7 vm, createrepo on the CentOS-7 vm and rsync custom centos-repo back to Gentoo (or something similar).

Conclusion: alternatives exist.
However, I (we?) prefer to keep on using createrepo on native Gentoo, preferably using non-local Gentoo repo.
Since I think the Man-in-the-Middle yum vulnerability does not (really) apply to Gentoo, there is no real added value to remove yum & createrepo from Gentoo.

So, please consider not to remove createrepo and it's dependency yum from Gentoo repo.
Comment 7 Sergey Popov gentoo-dev 2017-08-07 10:58:17 UTC 
Bug #499328 fixed - yum is bumped to up-to-date snapshot. No need to remove this package from tree.

Closing this as WONTFIX
Comment 8 Evert 2017-08-07 16:55:03 UTC 
Great :-D
Thanks a lot!