[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: broken .orig.tar.gz (Re: package upload rejected - no email)

* Steve Langasek <vorlon@debian.org> [080316 21:14]:
> There is no requirement that we ship pristine tarballs as downloaded from
> upstream.

But doing so without a good reason or in this case without any reason at
all just makes no sense. I do not know why it is only in the DevRef but
not in policy. (I was under the impression it also was in policy,
without that it is a little less severe, but still a very bad sign).

> > (What if the .orig.tar.gz was not only repacked but actually modified,
> > would everyone have notices?)
> Why should that block it from inclusion in the archive?  Do you suppose
> there's something magical about all upstream tarballs that makes them
> non-crap and instantly trustworthy by the ftp team?
> Using the pristine tarballs makes it easier to blame certain problems on
> upstream, but that's all.

There is no instant thrustworthyness of upstream tarballs, but having
differing tarballs makes weakens security for all involved parties.
Having the same file everywhere means malicious code must be hidden good
enough so that noone will find it early enough. It means users can just
download the files and compare their checksums without having to look
at the contents to know checking on of them is enough.

I do not think that having one source non-pristine is a big problem that
has to be fixed, as anything else would just cause confusion.

But I think it is a problem that such a thing was able to get in.
As it is not a policy rule broken, I fear less that noone has even
looked at the file. But the alternative of someone looking, realising this
mistake and just letting it in anyway is not very conforting either.

	Bernhard R. Link

Reply to: