[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])



joey@kite.ml.org (Joey Hess)  wrote on 11.05.97 in <19970511194009.48015@kite.ml.org>:

> Lars Wirzenius:
> > They might not understand enough about shell scripts (or Perl, or
> > whatever the script is written in) and whatever tools the script uses
> > to make an informed decision of whether the script is safe. With the
> > current scheme, they only have to trust gzip, tar, patch, and chmod,
>
> And all of debian/rules. And debmake or anoy other programs called by it.
> They are planning on building this package, right?

Not necessarily. And in that case, they have to trust none of these  
programs.

I often unpack tarballs without building anything in them, just to look at  
the source.

Self extracting archives - even only partially self extracting ones - are  
dangerous. We don't need dangerous source archives.

> > if they unpack it manually. Also, with the current scheme it is
> > _simple_ to unpack it manually, and the method is always the same.
> >
> > You might want to unpack a source package for other reasons than
> > to build it -- e.g., I've sometimes searched for documentation. A
> > non-programmer might want to do this so that they can typeset the
> > documentation in LaTeX, instead of printing out the LaTeX2HTML'd
> > version.
>
> I don't see how this applies. We make a tool to run the script and unpack
> the package. No harder than it is now.

No harder, but a lot more dangerous. In that case, most people won't even  
*know* that unpacking the source executes a program they know absolutely  
nothing about.

Bad, bad idea.


MfG Kai


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: