[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to cope with patches sanely

Charles Plessy <charles-debian-nospam@plessy.org> writes:

> - In the fist I propose that the 'patch' rule could only be provided
> by snippets such as those of dpatch, quilt, and CDBS, so that there
> is no security risk running this command.

This doesn't do anything to prevent a non-policy-compliant source
package providing arbitrary hostile commands (whether by accident or
malice) in the 'patch' target.

The correct way to avoid that is not to run anything from inside the
source package until the user specifies to do that. Unpacking the
source should *not* require (nor even default to) executing something
from inside that source.

-- 
 \        "I saw a sign: 'Rest Area 25 Miles'. That's pretty big. Some |
  `\                      people must be really tired." —Steven Wright |
_o__)                                                                  |
Ben Finney
Reply to: