[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to cope with patches sanely

Le Fri, Feb 01, 2008 at 11:42:49AM +0200, Lars Wirzenius a écrit :
> At the moment, I can unpack a source package and then review it before I
> run anything. You propose to make things more complicated by having to
> review things before unpacking. I find that to be an unwanted,
> unnecessary, and _dangerous_ complication.
> We can create ways in which
> patches are applied by dpkg-source directly, for example, instead of
> having to run code from the package. That's the point of my
> participation in this sub-thread: to stop the _wrong_ way of
> implementing this.

Hi Lars, hi all,

Of course, the idea of having dpkg-source applying the relevant patches
trough its own routines is better than having it calling 'debian/rules
patch', for the security reasons you explained before.

I have reviewed bug #250202, which was nicely summarised by Russ Allbery
in early January, and tried to update the summary of our discussion on
the wiki and to integrate ideas from bug #250202.

As said before, the direction that is currently taken at the Policy
level would be to require documenting how to "make the source ready for
editing" in a file called README.source. It would be recommended to
implement a 'patched' target that would take care of this.

The security issue you raised has also been noted in #250202, therefore
it is not proposed to automate the calling of this rule (in addition, it
would require to know the build-dependancies before unpacking, which is
not convenient).

So I guess that if you like your idea of implementing patching natively
in dpkg-source, it is recommended to contribute it to the discussion of
bug #250202.

There is another possibility that has been suggested, which is to build
the source package with the patched sources. An immediate side-effect of
this is that it overloads the .diff.gz, but such kind of overloading has
apparently been tolerated in other cases, in particular for packages
using autoconf/autmake, so why not?

Lastly, I would like to ask a quesiton about Wig&Pen: as it would be
illegal to provide both a .diff.gz and a .debian.tar.gz file at the same
time (http://www.dpkg.org/dpkg/NewSourceFormat), it seems that it
matches well the debian/patches workflow, except that the trick of
patching the sources at clean time would not work anymore. But the
biggest problem may be that unless I missed something, there was no
clear answer when it was asked if somebody was woring on Wig&Pen.

Is there sombody working on Wig&Pen? Is the format consensual enough
that it would be accepted in Debian?

Have a nice day,

Charles Plessy
Wakō, Saitama, Japan

Reply to: