Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])
joey@kite.ml.org (Joey Hess) wrote on 11.05.97 in <[🔎] 19970511194009.48015@kite.ml.org>:
> Lars Wirzenius:
> > They might not understand enough about shell scripts (or Perl, or
> > whatever the script is written in) and whatever tools the script uses
> > to make an informed decision of whether the script is safe. With the
> > current scheme, they only have to trust gzip, tar, patch, and chmod,
>
> And all of debian/rules. And debmake or anoy other programs called by it.
> They are planning on building this package, right?
Not necessarily. And in that case, they have to trust none of these
programs.
I often unpack tarballs without building anything in them, just to look at
the source.
Self extracting archives - even only partially self extracting ones - are
dangerous. We don't need dangerous source archives.
> > if they unpack it manually. Also, with the current scheme it is
> > _simple_ to unpack it manually, and the method is always the same.
> >
> > You might want to unpack a source package for other reasons than
> > to build it -- e.g., I've sometimes searched for documentation. A
> > non-programmer might want to do this so that they can typeset the
> > documentation in LaTeX, instead of printing out the LaTeX2HTML'd
> > version.
>
> I don't see how this applies. We make a tool to run the script and unpack
> the package. No harder than it is now.
No harder, but a lot more dangerous. In that case, most people won't even
*know* that unpacking the source executes a program they know absolutely
nothing about.
Bad, bad idea.
MfG Kai
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: