Re: quilt 3.0 source format and dpkg-source/dpkg-buildpackage

[Russ Allbery <rra@debian.org>]

Charles Plessy <plessy@debian.org> writes:

> In my opinion, much of the current disagreements come from two false needs:

>  * Apply patches so that dpkg-source -x gives buildable source.

That was the need that had as much or more project consensus as anything
else on my list, and as I recall was the impetus for doing the whole
next-generation source format work in the first place.

> I remember the discussion that took place during DEP1 preparation. It
> already had the outcome that the main patch systems converged on a
> common interface:

>  - Store the patches in debian/patches;
>  - Apply them with ‘debian/rules patch’;
>  - Document specificities in debian/README.source.

If I'm not mistaken, that convergence and standardization actually
happened *after* the 3.0 work was mostly finished.  Certainly after the
2.0 work.

> There were some concerns that applying patches through debian/rules
> could be a security hole. In my opinion – that I already expressed in
> the DEP1 discussion – given that 1) dpkg-source will not extract
> packages that are not GPG-trusted,

Eh?  I'm fairly sure it does for me, although it prints a warning.

> Personnaly, I am completely unconvinced of the necessity of applying
> patches at unpack time, nor of standardising on one particular patch
> implementation instead of using a clear patch interface as the one above
> (parts of which being already in the Debian Policy). If I am not the
> only one having this concern, maybe we could ask the technical comittee
> to give us its conclusions on this matter. I am ready to follow it.

I personally don't have a strong opinion, but there were a lot of people
who felt this was important during the initial discussions.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>