-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
app-backup/restic: add 0.14.0 #27050
Conversation
d4884df
to
9efc300
Compare
Pull Request assignmentSubmitter: @stkw0 app-backup/restic: @stkw0, @gentoo/proxy-maint Linked bugsBugs linked: 830936, 630244, 868021 In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
Pull request CI reportReport generated at: 2022-09-04 20:12 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's something weird going on with your commits and they can't be applied. Could you also fix the 0.14 bump so it immediately uses the vendor tarball, instead of adding 1000+ lines ebuild then fixing it in the next commit? :P
Overall the commits are a bit mixed up right now, but the outcome looks good.
Sorry, seems after I sent the PR fixing it someone else fixed the same thing, hence the conflict. I will update it asap to resolve the conflict. |
Signed-off-by: David Roman <davidroman96@gmail.com> Closes: https://bugs.gentoo.org/630244 Closes: https://bugs.gentoo.org/868021 Closes: https://bugs.gentoo.org/830936
Signed-off-by: David Roman <davidroman96@gmail.com>
Pull request CI reportReport generated at: 2022-09-27 19:27 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Personally, I am not really happy that a high-profile and highly security sensible project, like restic, is using a third party, that is, neither Gentoo nor upstream, to obtain its source. Please consider asking upstream to provide an official vendor or dependency tarball. |
I don't see much of a problem because if someone changes the content of the vendor tarball portage will complain about it. But I understand that trusting another player is not ideal, so I've opened an issue to restic, see restic/restic#3945 |
That's not the attack vector I had in mind. The problem is that it requires an enormous effort to audit the contents of the vendored or dependency tarballs for malicious code. And I'd like to keep the parties that are able to inject code in Gentoo's restic build to a minimum, considering that backup software like restic often runs with the highest privileges, or at least with CAP_DAC_READ_SEARCH. |
No description provided.