Donnie Berkholz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrew Muraco wrote:
| Another thing that I don't like, is the feel of this method does seem
| "offical" enough.. mostly because portage is not 'stable'-aware, Its
| just using a stripped down tree.
What do you want then? If an entire standalone tree distributed by
Gentoo doesn't feel official enough, what will?
What I meant to say is, having this alternative tree method (as
described here) would mean that portage would handle everything the
exact same as it already does, which means that if someother tree was
accidently sync'd or replaced the local one, portage would react and
want to update everything, because its not 'aware' that there is a
difference in the first place. (now that I think about it, how likely is
it that something like that will happen?)
The method described here would also open up the oppurtunity for "fake"
enterprise trees, without having something to double check that the tree
that we have is indeed the one that is wanted, it would be possible for
a hacked rsync server (or a bogus one) to host the enterprise (stable)
trees with extra ebuilds which could compromise security (/me thinks of
emails warning about Microsoft's patchs and links which point to
infectious websites.)
Maybe this is something thats not very likely to happen, but it still is
important to note that an enterprise tree has to be secure.
Wkr,
Andrew Muraco
--
gentoo-dev@gentoo.org mailing list
