Ticket #458 (closed defect: wontfix)
paludis believes potentially corrupt ebuilds
| Reported by: | chaoflow | Owned by: | ciaranm |
|---|---|---|---|
| Priority: | Sometime | Milestone: | |
| Component: | core/paludis | Version: | 0.26.0_alpha4 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Distribution: |
Description
ebuild in local repository, not listed in Manifest, source tarball not in distfiles.
# paludis -ip world ... paludis@1198125848: [WARNING] Stale cache file at '/var/cache/paludis/metadata/my-local-overlay/app-pda/libopensync-0.35' ... app-pda/libopensync::my-local-overlay [U 0.22 -> 0.35]
Looks like paludis realizes changes in the ebuild, which I made after a previous run of paludis -ip world.
# paludis -i world ... Fetch error: ... * File 'libopensync-0.35.tar.bz2': failed integrity checks: Not in Manifest
Paludis checks the tarball against the Manifest file, but not the ebuild itself. This could be used to query arbitrary? URLs, including localhost URLs where security restrictions might be lower. I don't know about further consequences, but it feels not good that the ebuild is parsed before it is checked to be valid.
Change History
Note: See
TracTickets for help on using
tickets.
Paludis doesn't do manifest checking on ebuilds, since manifest offers no security.