Brave Browser and a question about Gentoo Overlay QA[SOLVED]

[Budoka]

Moderators, I wasn't sure if I should post this in the Unsupported Software subforum or this one. Please move to the appropriate subforum if this isn't where my question should be.

As best I can tell, Brave Broswer is currently not in portage. Based on the research I've done building from source is at best prohibitively challenging and at worst impossible.

I see that there is a Brave Overlay with a binary that can be installed which leads me to my question...

How safe is it to install from overlays from a security/privacy standpoint? The Gentoo Overlay Wiki states

The repository should be maintained with best effort not to cause issues to users using it. We reserve the right to remove repositories that are reported to pose a serious threat to our users.

But, are overlays actively monitored or is it reactive ie: Someone reports it and then it is removed. Or are they vetted in some way before being added? As much as I'd like to use this particular overlay I hesitate to do so because I use things such as my password manager in it. And quite honestly I was spooked by the author's email address which is at the domain name

@medicalcannab.is

[fedeliallalinea]

There are some automatically QA check but I don't know what is exactly are.
You can check the SRC_URI in ebuild if download in official site, you can also download manually program and put it in distfiles directory and then run emerge if checksum from downloaded program differ from that in Manifest file the is a problem.

And quite hoenstly I was spooked by the author's email address which is at the domain name:

Code: Select all

@medicalcannab.is	

Where you see that in metadata.xml I see jpizarrocallejas@gmail.com

[Budoka]

There are some automatically QA check but I don't know what is exactly are.
You can check the SRC_URI in ebuild if download in official site, you can also download manually program and put it in distfiles directory and then run emerge if checksum from downloaded program differ from that in Manifest file the is a problem.

And quite honestly I was spooked by the author's email address which is at the domain name:

Code: Select all

@medicalcannab.is	

Where you see that in metadata.xml I see jpizarrocallejas@gmail.com

Thanks for the reply. When I look at the overlay info that is the address that appears.

layman -i brave-overlay

* brave-overlay
* ~~~~~~~~~~~~~
* Source : https://gitlab.com/jason.oliveira/brave-overlay.git
* Contact : Jason Oliveira <jason.oliveira@medicalcannab.is>
* Type : Git; Priority: 50
* Quality : experimental
*
* Description:
* Brave Overlay
*
* Link:
* https://gitlab.com/jason.oliveira/brave-overlay
*
* Feed:
* https://gitlab.com/jason.oliveira/brave ... aster.atom

[Ant P.]

You're more concerned about the overlay author's email address than the concept of a chromium wrapper funded by a cryptocurrency that derives its value from proactive advertising to its users?

[Budoka]

You're more concerned about the overlay author's email address than the concept of a chromium wrapper funded by a cryptocurrency that derives its value from proactive advertising to its users?

LOL. That's cute.

But in all seriousness, Brave aside, that doesn't answer my underlying question about the security/integrity of installing binaries from overlays vs compiling from portage.

[Hu]

Based on the "Reserve the right" language, I expect, and suggest you act as if, the reviews are not scheduled on any particular timeline, not required as a condition of membership, and not exhaustive enough to uncover cleverly hidden hostile content. Based on those qualifiers, I would then say that you should not install critical software from an overlay unless you have a good reason to trust that maintainer specifically (e.g. if it is a well respected Gentoo developer who uses an overlay for his/her highly experimental packages, or a longtime community contributor with years of trustworthy activity to his/her name).

[Budoka]

Based on the "Reserve the right" language, I expect, and suggest you act as if, the reviews are not scheduled on any particular timeline, not required as a condition of membership, and not exhaustive enough to uncover cleverly hidden hostile content. Based on those qualifiers, I would then say that you should not install critical software from an overlay unless you have a good reason to trust that maintainer specifically (e.g. if it is a well respected Gentoo developer who uses an overlay for his/her highly experimental packages, or a longtime community contributor with years of trustworthy activity to his/her name).

Thank you. That is prudent advice and was my initial inclination. But I realized that, in addition to tons of other stuff, the Gentoo Overlay system is something I am just not familiar with thus my question.

[Juippisi]

There are some automatically QA check but I don't know what is exactly are.

It's basically just checking that sourcing the overlay isn't broken. So no ebuild QA checks are run on overlays.

But in all seriousness, Brave aside, that doesn't answer my underlying question about the security/integrity of installing binaries from overlays vs compiling from portage.

I'd say portage is much more secure because there are a lot more eyes, and every commit is made public via git web browser and gentoo-commits mailing list. When it comes to overlays, you should audit the ebuilds before installing. It's the same everywhere, like with Arch Linux's AUR. I'm not aware of any misuse from Gentoo overlays, but doesn't mean there aren't any.

[fedeliallalinea]

There are some automatically QA check but I don't know what is exactly are.

It's basically just checking that sourcing the overlay isn't broken. So no ebuild QA checks are run on overlays.

OK thank you for information, I thought there was a minimum of automatic QA check.