Re: uscan enhancement take 3: script hook

To: Simon McVittie <smcv@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: uscan enhancement take 3: script hook
From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Date: Wed, 29 Aug 2012 10:41:19 +0200
Message-id: <[🔎] CAE2SPAbSOO3XoHAwmV01to+3GTk7PKw6fZ140buKGGcD1B7F1A@mail.gmail.com>
In-reply-to: <[🔎] 503DD00F.4040509@debian.org>
References: <[🔎] 20120829065509.GB22344@an3as.eu> <[🔎] 503DD00F.4040509@debian.org>

Le 29 août 2012 10:17, "Simon McVittie" <smcv@debian.org> a écrit :
>
> On 29/08/12 07:55, Andreas Tille wrote:
> > When trying to get rid of some get-orig-source
> > scripts I noticed that besided some file removals I need to execute
> > some extra code. This is basically fetching some extra files like
> > sources for documentation, uncompressed JS files etc from external
> > sources (http, VCS).
>
> Shouldn't this be put in the debian directory or in a dpkg-source v3
> secondary tarball?
Yes this seems a good idea. But we may need a policy about this:why prefer new tarball instead of patching ?
Putting them in the repacked tarball seems a bit
> inconsistent: if you weren't repacking for DFSG reasons already, surely
> you wouldn't repack just to add the missing bits, you'd incorporate them
> via the debian directory or an extra tarball instead?
>
> (Indeed, one of my packages used to add its top-level Makefile as the
> first patch in the quilt series, because upstream distributed it in svn
> but forgot to put it in the released tarball...)
>
> > IMHO this could be done quite simple if we would enable uscan to call a
> > script say debian/uscan.hook (feel free to propose a better name).
>
> This is a security flaw if you want uscan to be safe to use on untrusted
> source (e.g. in DEHS). It seems that uscan tries to make its use of
> regexes, at least, not imply arbitrary code execution.
>
> You could make it safe like this: If uscan.hook exists, uscan warns and
> exits with a nonzero code distinct from normal failures[1], unless it
> was run with the --trust-maintainer option (or something) which means it
> runs uscan.hook as designed.
>
> S
>
> [1] so that, e.g., DEHS can catch that error code and report it as
> "looks mostly OK, but I can't test it fully because there's a uscan.hook".
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 503DD00F.4040509@debian.org">http://lists.debian.org/[🔎] 503DD00F.4040509@debian.org
>

Reply to:

References:
- uscan enhancement take 3: script hook
  - From: Andreas Tille <andreas@an3as.eu>
- Re: uscan enhancement take 3: script hook
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Proposal: Making Debian compiler agnostic
Next by Date: Re: uscan enhancement take 3: script hook
Previous by thread: Re: uscan enhancement take 3: script hook
Next by thread: Re: uscan enhancement take 3: script hook
Index(es):
- Date
- Thread