Ticket #458 (closed defect: wontfix)
paludis believes potentially corrupt ebuilds
|Reported by:||chaoflow||Owned by:||ciaranm|
ebuild in local repository, not listed in Manifest, source tarball not in distfiles.
# paludis -ip world ... paludis@1198125848: [WARNING] Stale cache file at '/var/cache/paludis/metadata/my-local-overlay/app-pda/libopensync-0.35' ... app-pda/libopensync::my-local-overlay [U 0.22 -> 0.35]
Looks like paludis realizes changes in the ebuild, which I made after a previous run of paludis -ip world.
# paludis -i world ... Fetch error: ... * File 'libopensync-0.35.tar.bz2': failed integrity checks: Not in Manifest
Paludis checks the tarball against the Manifest file, but not the ebuild itself. This could be used to query arbitrary? URLs, including localhost URLs where security restrictions might be lower. I don't know about further consequences, but it feels not good that the ebuild is parsed before it is checked to be valid.