metadata/repoman: add repoman configuration

There are a few repoman checks that create a lot of false positives, and
some that we want to consider warnings.

sdk_container/src/third_party/coreos-overlay/metadata/repoman/qa_data.yaml

@@ -0,0 +1,65 @@
+---
+
+version: 1
+repoman_version: 2.3.3
+
+missingvars:
+    - LICENSE
+
+qacats:
+    - EAPI.definition
+    - EAPI.deprecated
+    - EAPI.incompatible
+    - EAPI.unsupported
+    - LICENSE.invalid
+    - LICENSE.missing
+    - LICENSE.syntax
+    - dependency.syntax
+    - digest.assumed
+    - digest.missing
+    - ebuild.invalidname
+    - ebuild.majorsyn
+    - ebuild.syntax
+    - file.name
+    - inherit.missing
+    - manifest.bad
+    - repo.eapi.banned
+    - variable.invalidchar
+
+qawarnings:
+    - DESCRIPTION.missing
+    - DESCRIPTION.toolong
+    - HOMEPAGE.virtual
+    - IUSE.invalid
+    - IUSE.missing
+    - KEYWORDS.stupid
+    - LICENSE.deprecated
+    - LICENSE.virtual
+    - digest.unused
+    - ebuild.absdosym
+    - ebuild.invalidname
+    - ebuild.minorsyn
+    - ebuild.patches
+    - file.UTF8
+    - file.executable
+    - file.size
+    - inherit.unused
+    - inherit.deprecated
+    - portage.internal
+    - repo.eapi.deprecated
+    - upstream.workaround
+    - uri.https
+    - variable.readonly
+
+valid_restrict:
+    - binchecks
+    - bindist
+    - fetch
+    - installsources
+    - mirror
+    - preserve-libs
+    - primaryuri
+    - splitdebug
+    - strip
+    - test
+    - userpriv

sdk_container/src/third_party/coreos-overlay/metadata/repoman/repository.yaml

@@ -0,0 +1,78 @@
+---
+
+version: 1
+repoman_version: 2.3.3
+
+# The few modules disabled here generate unreasonable false positives for Container Linux:
+# * The `keywords` module generates KEYWORDS.dropped and KEYWORDS.invalid errors. These are more or
+#   less irrelevant for Container Linux, as they tend to be for platforms with non-Linux kernels,
+#   which aren't a concern for us. These could likely be marked as warnings in qa_data.yaml, but
+#   they aren't really even worth fixing on their own, so there's no need to run them at all.
+# * The `pkgmetadata` module checks metadata.xml. Most of this isn't relevant to Container Linux,
+#   users will not be interacting with the overlay themselves, and so any metadata specified in
+#   metadata.xml will only ever be seen by users of the SDK. As with `keywords`, proper metadata
+#   might be nice to have, but considering metadata issues as warnings or errors here adds more
+#   noise than signal.
+# * The `profile` module, among other issues, generates a huge number (>10000) of dependency.bad
+#   errors. This is due to unmodified (or minimally modified) ebuilds from Gentoo upstream that
+#   depend on ebuilds not present in coreos-overlay or portage-stable. These dependencies are hidden
+#   behind USE flags or otherwise unused in Container Linux, so the missing ebuilds aren't a
+#   problem, but the amount of noise generated by this module makes it unusable.
+#
+#   TODO(csssuf): The `profile` module also contains the LICENSE.invalid check which _is_ valuable
+#   for Container Linux, but repoman currently provides no way to disable checks individually; they
+#   can only be marked as warnings, or their containing modules disabled entirely. Unfortunately the
+#   `profile` module contains so much noise that leaving it enabled isn't an option, so we lose the
+#   ability to use the LICENSE.invalid check too. If/when repoman has a fix for this, use it.
+scan_modules:
+    description
+    eapi
+    ebuild_metadata
+    fetches
+    files
+    -keywords
+    live
+    manifests
+    multicheck
+    -pkgmetadata
+    -profile
+    restrict
+    ruby
+
+linechecks_modules:
+    assignment
+    eapi3assignment
+    implicitdepend
+    hasq
+    useq
+    preservelib
+    bindnow
+    inherit
+    dosym
+    definition
+    srcprepare
+    eapi3deprecated
+    pkgpretend
+    eapi4incompatible
+    eapi4gonevars
+    paralleldisabled
+    autodefault
+    -gentooheader
+    nooffset
+    nesteddie
+    patches
+    emakeparallel
+    srccompileeconf
+    srcunpackpatches
+    portageinternal
+    portageinternalvariableassignment
+    quote
+    quoteda
+    httpsuri
+    builtwith
+    uselesscds
+    uselessdodoc
+    whitespace
+    blankline
+    addpredict
+    noasneeded