ionenwks
commented
2 years ago Check if one archive overwrites files of another archive.
I think cases where this would be useful are rather rare, wouldn't mind if simple but implementing it sounds messy. Imagine would either need to redefine portage's unpack() (may be doable but I don't really want to touch PMS functions, feels volatile) or unpack twice which is both wasteful and won't work well with custom src_unpack() (Edit: e.g. that change directory to avoid overwrites in the first place). Also want to stay away from trying to wrap tar/unzip/etc.. directly.
Verify that Go dependency tarballs are modcache tarballs, not vendor tarballs.
I never worked with Go nor Go ebuilds so unsure I'd want implement this myself, but either way I'd rather this be left alone right now given discussions keep jumping all over the place (barely followed) and feel it'd be best left for later than rush to implement complementary checks here that could potentially end up in the eclasses.
If it involves security, unsure it really belong here too. Realistically not everyone use iwdevtools and things would be left unchecked (either way, don't want to start a general Go debate here).
These checks can help proxy mainatiners to make sure that third-party archives aren't malicious.