Re: How to cope with patches sanely
On Thu, Jan 31, 2008 at 01:09:44PM +0200, Lars Wirzenius wrote:
> On to, 2008-01-31 at 20:03 +0900, Charles Plessy wrote:
> > I am wondering if just mandating 'debian/rules patch' to work if
> > debian/patches exist shouldn't be just sufficient.
> The only big problem I have with that is that is required some unknown
> subset of build-dependencies to be installed, and to run code _from_
> _the_ _package_, just to unpack a source package. This makes me
> uncomfortable: you have to install and run complicated tools and
> untrusted code, with all the potential for bugs and security trouble
> that involves, just to see the source code.
I have a similar discomfort. We regard bugs in tar that allow malicious
tarballs to do bad things as security vulnerabilities, and rightly so.
That said, we could have this behaviour controlled by an option, so that
if you knew you were fetching a trusted signed package from the Debian
archive then you could supply the option, and otherwise (say you were
examining a package provided by a sponsored developer whom you didn't
know very well) then you could omit the option and get safe behaviour.
Colin Watson [firstname.lastname@example.org]