[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Discarding uploaded binary packages

On Wed, Oct 17, 2012 at 4:07 PM, Bernhard R. Link <brlink@debian.org> wrote:
> * Michael Gilbert <mgilbert@debian.org> [121016 04:59]:
>> Anyway, all of these build system path sanitization issues can be
>> eliminated by using the buildds for all architectures, since paths
>> will start with at least /build that requires root-level action to
>> exist on users' systems.
> They are not eliminated by using only buildds. They are only moved
> towards people that want to build their privately patched software
> then, which is something they have a right to do. A package not
> building properly or differently when built in a clean system with
> all the build-depended packages installed and all the
> build-conflicted packages not installed is a critical bug.
> Recreating binary packages uploaded by maintainers has some merrits,
> but this is definitely not one of them...

Really?  Take a look the affected isc-dhcp package.  The prefix for
the amd64 architecture (the one I built and uploaded) is
/home/<username>/.... which someone with a <username> account can put
code in.  The other architectures are /build/build-isc-dhcp.... which
does not exist without root creating it at some point.  Now that's
still not right, but its more of a hurdle for someone trying to take
advantage of the issue.

Anyway, reading again, I not sure that your reply actually considers
build path sanitization problems, which is what my statement was

Best wishes,

Reply to: