[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [transcript] source package formats

On 21 Mar 2000, Brian May wrote:

> >>>>> "Adam" == Adam Heath <adam@doogie.org> writes:
> How would you create these diffs?

Please reread the mails.  I said it only extracts.  I've said nothing about
building anything yet.

> Also, have you considered how such a system could be integrated
> with CVS?

No, I haven't.  At this early point, I don't want to think about it.  And,
what I have done is just a test, to see if it is actually
possible.  Everything I have done will NOT appear in any final version.

> Who would this work without CVS? If the maintainer wanted to create
> the diff files manually (is this the only way?), could he/she include
> the diffs somewhere in the source tree, or would he/she have to
> manually create and update the *.diffs.tar.gz file?

There will be an automated tool to do it, it just haven't been
designed/created yet.

>     Adam> Actually, it will make things 'less trustworthy,' to quote
>     Adam> Ian.  What is to keep a script in debian/ from editting the
>     Adam> files that exist in debian/diffs?
> I don't understand the security concern - what is to stop the
> script from patching any number of files in the source tree, during
> the standard build process?

This is no different than the current dpkg-source -x.  Ian's concern(please
reread the transcript) was that to extract the source(and apply the
patches) it(dbs) had to run shell code that was inside each pkg.  This shell
code could be 'tainted' with a trojan horse.

The new way has the code responsible for extracting and patching the source
part of dpkg-source itself.  This means someone only has to do one audit, on
dpkg-source, and once satisfied, knw the series of steps that are taken to
extract a source archive.

Version: 3.12
GCS d- s: a-- c+++ UL++++ P+ L++++ !E W+ M o+ K- W--- !O M- !V PS--
PE++ Y+ PGP++ t* 5++ X+ tv b+ D++ G e h*! !r z?
Adam Heath <doogie@debian.org>        Finger Print | KeyID
67 01 42 93 CA 37 FB 1E    63 C9 80 1D 08 CF 84 0A | DE656B05 PGP
AD46 C888 F587 F8A3 A6DA  3261 8A2C 7DC2 8BD4 A489 | 8BD4A489 GPG
-----END PGP INFO-----

Reply to: