Uwe Thiem wrote:
> On Monday 28 April 2008, Albert Hopkins wrote:
>> On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
>>> Hi all,
>>>
>>> I'm trying to set up the portage directory to be hosted over nfs.
>>> Everything is working great but I would like to increase the
>>> security a
>>> little. I was wondering if there's an easy way to restrict
>>> 'emerge --sync' to only work on the server, while still letting
>>> all the nfs client machines download sources and emerge packages.
>> Have clients only mount portage read-only and put distfiles in
>> another fs and make it read-write.
>
> Yes, this should work. I have got just one question: How does
> disabling "emerge --sync" from NFS clients improve security?
>
> Uwe
>

I have a number of overlay ebuilds that I need in place that override
specific versions of packages, and I don't want various users to 'emerge
--sync' too often and break things by installing a non-patched package
that has an old overlay. This way I can also keep all the clients at
the same revs of everything and avoid various bugs with things like
pam/vmware/kernels/graphics drivers/etc... Plus there's the whole
bandwidth saving issue.

The biggest reason is so someone doesn't get a newer pam_usb or pam_ldap
than the overlay versions and then can't login anymore.

Chris Frederick
--
gentoo-user@(protected)