Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])
I think I posted my last couple of messages on this thread too hastily. I
think I've miscommunicated something to you. Let me try again.
Lars Wirzenius:
> > shell statements inside the debian/rules makefile would be able to
> > retrieve them and unpack them.
>
> This is what I'm quite determined to avoid. I do _not_ want to
> depend on Debian maintainers being infallible and non-malicious,
> at least not so much that I can't even unpack a Debian source
> package without endangering my system.
>
> If Red Hat does this, they're broken.
Let me try to re-explain how red hat does things in their source packages.
The .srpm is "unpacked", without any shell script being used. You end up
with the files from the source package (pristine upstream source, patches,
spec file, etc) in a directory.
When the package is built, a script is run to unpack the files that were in
the source package, apply the patches, etc. Think of it as something like a
"debian/rules setup" target that sets up the build tree.
With this scheme, you arn't running a shell script when you unpack the
package. You can figure out how to look at the tar file or shar archive or
whatever format the upstream source is kept in, without running any special
shell script. The only difference between this and how dpkg-source operates
now is that the actual unpacking of the upstream tarball/whatever (NOT the
debian source package) and applying of the patches is pushed back into
debian/rules, where it can be handled by a shell script. But you need not
run this shell script until you decide to build the package -- which makes
it just as safe as things stand now.
--
See shy Jo.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: