On Wed, Sep 25, 2019 at 4:14 PM Michał Górny <mgo...@gentoo.org> wrote: > > Hi, > > I'm wondering if we're doing the right things by adding KEYWORDS to > packages using cdrom.eclass. After all, it's somewhat similar to live > ebuilds. That is, data is fetched outside regular PM mechanisms (though > not implicitly through Internet, arguably) and it is not covered by any > checksums. > > This creates a somewhat gaping security hole to anyone using those > packages. After all, the ebuilds are going to happily install any > malware you might have on that CD without even thinking twice about it. > In fact, with construction of many ebuilds it is entirely plausible that > additional unexpected files may end up being installed.
The eclass seems to be used exclusively by games (with one exception), which are probably full of unreported security problems anyway. > To be honest, I don't think this is a problem that could be fixed. > Technically, we could add some kind of, say, b2sum lists to ebuilds > and verify installed files against them. However, the way I understand > we frequently aim to support different releases of the same product, > that may have wildly differing checksums. > > So maybe the most obvious solution would be to remove KEYWORDS from > ebuilds unconditionally using cdrom.eclass (and their reverse > dependencies), and mask USE=cdinstall on the rest. > > WDYT? Move them to an overlay.
