On 02/11/2014 11:34 PM, Rich Freeman wrote: > On Tue, Feb 11, 2014 at 1:56 AM, Michael Palimaka <kensing...@gentoo.org> > wrote: >> >> Looks interesting. It reminds me somewhat of autodep[1]. >> > > Interesting - does this work? I don't see it in portage. It used to work pretty well, but the bundled portage version doesn't support EAPI 5. I previously made an attempt to merge a newer version of portage in, but I was not successful.
> One of those ideas I've always wanted to implement is to create a > portage hook/patch that looks at the dependencies for the package > being built and configures sandbox to block read-access to anything > that wasn't explicitly declared. Sandbox works for read-access as > well as write-access, though in /etc/sandbox.d/00default read-access > is enabled everywhere by default. > > And, yes, it could be configured to allow access to @system... That's pretty much what emerge_strict does.
