Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-backup/restic: add 0.14.0 #27050

Closed
wants to merge 2 commits into from
Closed

app-backup/restic: add 0.14.0 #27050

wants to merge 2 commits into from

Conversation

stkw0
Copy link
Contributor

@stkw0 stkw0 commented Aug 28, 2022

No description provided.

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). labels Aug 28, 2022
@stkw0 stkw0 force-pushed the kubo branch 2 times, most recently from d4884df to 9efc300 Compare September 4, 2022 19:44
@stkw0 stkw0 changed the title app-backup/restic: add 0.14.0 [please reassign] app-backup/restic: add 0.14.0 Sep 4, 2022
@gentoo-bot gentoo-bot changed the title [please reassign] app-backup/restic: add 0.14.0 app-backup/restic: add 0.14.0 Sep 4, 2022
@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. and removed assigned PR successfully assigned to the package maintainer(s). self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) labels Sep 4, 2022
@stkw0 stkw0 changed the title app-backup/restic: add 0.14.0 [please reassign] app-backup/restic: add 0.14.0 Sep 4, 2022
@gentoo-bot gentoo-bot changed the title [please reassign] app-backup/restic: add 0.14.0 app-backup/restic: add 0.14.0 Sep 4, 2022
@gentoo-bot
Copy link

Pull Request assignment

Submitter: @stkw0
Areas affected: ebuilds
Packages affected: app-backup/restic

app-backup/restic: @stkw0, @gentoo/proxy-maint

Linked bugs

Bugs linked: 830936, 630244, 868021

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. and removed assigned PR successfully assigned to the package maintainer(s). self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) bug linked Bug/Closes found in footer, and cross-linked with the PR. labels Sep 4, 2022
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2022-09-04 20:12 UTC
Newest commit scanned: 435ac4a
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/65ae6a0907/output.html

juippis
juippis reviewed Sep 27, 2022
View reviewed changes
Copy link
Member

@juippis juippis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's something weird going on with your commits and they can't be applied. Could you also fix the 0.14 bump so it immediately uses the vendor tarball, instead of adding 1000+ lines ebuild then fixing it in the next commit? :P

Overall the commits are a bit mixed up right now, but the outcome looks good.

@stkw0
Copy link
Contributor Author

stkw0 commented Sep 27, 2022

Sorry, seems after I sent the PR fixing it someone else fixed the same thing, hence the conflict. I will update it asap to resolve the conflict.

@stkw0
app-backup/restic: add 0.14.0
1dfe8c6 
Signed-off-by: David Roman <davidroman96@gmail.com>
Closes: https://bugs.gentoo.org/630244
Closes: https://bugs.gentoo.org/868021
Closes: https://bugs.gentoo.org/830936
@stkw0
app-backup/restic: drop 0.11.0, 0.13.0
048a2b1 
Signed-off-by: David Roman <davidroman96@gmail.com>
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2022-09-27 19:27 UTC
Newest commit scanned: 048a2b1
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/18b6f683b3/output.html

@Flowdalic
Copy link
Member

Flowdalic commented Sep 27, 2022
edited
Loading

Personally, I am not really happy that a high-profile and highly security sensible project, like restic, is using a third party, that is, neither Gentoo nor upstream, to obtain its source. Please consider asking upstream to provide an official vendor or dependency tarball.

@stkw0
Copy link
Contributor Author

stkw0 commented Sep 27, 2022

I don't see much of a problem because if someone changes the content of the vendor tarball portage will complain about it. But I understand that trusting another player is not ideal, so I've opened an issue to restic, see restic/restic#3945

@Flowdalic
Copy link
Member

Flowdalic commented Sep 27, 2022
edited
Loading

I don't see much of a problem because if someone changes the content of the vendor tarball portage will complain about it.

That's not the attack vector I had in mind. The problem is that it requires an enormous effort to audit the contents of the vendored or dependency tarballs for malicious code. And I'd like to keep the parties that are able to inject code in Gentoo's restic build to a minimum, considering that backup software like restic often runs with the highest privileges, or at least with CAP_DAC_READ_SEARCH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juippis juippis juippis left review comments

Assignees
No one assigned
Labels
assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else)
Projects
None yet
Milestone
No milestone
5 participants
@stkw0 @gentoo-bot @gentoo-repo-qa-bot @Flowdalic @juippis