Re: How to cope with patches sanely
On pe, 2008-02-01 at 01:45 +0900, Charles Plessy wrote:
> Hi Lars, I do not get your point.
>
> If you are concerned that the persons who sent you a package to sponsor
> have put malicious code in it, what I guess you will first review is
> wether the scripts you have to execute to test the packages are safe.
At the moment, I can unpack a source package and then review it before I
run anything. You propose to make things more complicated by having to
review things before unpacking. I find that to be an unwanted,
unnecessary, and _dangerous_ complication.
> Shall we conclude that the idea of
> automatically applying the patches when the sources are unpacked is
> ruled out by the complexity and the side-effect security issues that it
> would create ?
That is a highly premature conclusion. We can create ways in which
patches are applied by dpkg-source directly, for example, instead of
having to run code from the package. That's the point of my
participation in this sub-thread: to stop the _wrong_ way of
implementing this.
See David Nusinow's e-mail[1] as an example of an outline for how this
can be done sanely. (He refers to Ted Tso's e-mail, and I think it's
[2].)
[1] http://lists.debian.org/debian-devel/2008/02/msg00003.html
[2] http://lists.debian.org/debian-devel/2008/01/msg01008.html
Reply to: