Re: Discarding uploaded binary packages
On Wed, Oct 17, 2012 at 4:07 PM, Bernhard R. Link <email@example.com> wrote:
> * Michael Gilbert <firstname.lastname@example.org> [121016 04:59]:
>> Anyway, all of these build system path sanitization issues can be
>> eliminated by using the buildds for all architectures, since paths
>> will start with at least /build that requires root-level action to
>> exist on users' systems.
> They are not eliminated by using only buildds. They are only moved
> towards people that want to build their privately patched software
> then, which is something they have a right to do. A package not
> building properly or differently when built in a clean system with
> all the build-depended packages installed and all the
> build-conflicted packages not installed is a critical bug.
> Recreating binary packages uploaded by maintainers has some merrits,
> but this is definitely not one of them...
Really? Take a look the affected isc-dhcp package. The prefix for
the amd64 architecture (the one I built and uploaded) is
/home/<username>/.... which someone with a <username> account can put
code in. The other architectures are /build/build-isc-dhcp.... which
does not exist without root creating it at some point. Now that's
still not right, but its more of a hurdle for someone trying to take
advantage of the issue.
Anyway, reading again, I not sure that your reply actually considers
build path sanitization problems, which is what my statement was