Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])
email@example.com (Joey Hess) wrote on 11.05.97 in <firstname.lastname@example.org>:
> Lars Wirzenius:
> > They might not understand enough about shell scripts (or Perl, or
> > whatever the script is written in) and whatever tools the script uses
> > to make an informed decision of whether the script is safe. With the
> > current scheme, they only have to trust gzip, tar, patch, and chmod,
> And all of debian/rules. And debmake or anoy other programs called by it.
> They are planning on building this package, right?
Not necessarily. And in that case, they have to trust none of these
I often unpack tarballs without building anything in them, just to look at
Self extracting archives - even only partially self extracting ones - are
dangerous. We don't need dangerous source archives.
> > if they unpack it manually. Also, with the current scheme it is
> > _simple_ to unpack it manually, and the method is always the same.
> > You might want to unpack a source package for other reasons than
> > to build it -- e.g., I've sometimes searched for documentation. A
> > non-programmer might want to do this so that they can typeset the
> > documentation in LaTeX, instead of printing out the LaTeX2HTML'd
> > version.
> I don't see how this applies. We make a tool to run the script and unpack
> the package. No harder than it is now.
No harder, but a lot more dangerous. In that case, most people won't even
*know* that unpacking the source executes a program they know absolutely
Bad, bad idea.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to email@example.com .