[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg patch

Ryan Lortie wrote:
> The reason for these files is obviously to avoid the need to remember to
> type -I or -i every time.

>   3) debuild

The obvious way to solve needing to type -I and -i every time is to use
a wrapper, such as debuild, to do it. 

I've been using a personal "build" wrapper[1] for 9 years, to do just
that, and AFAIK I have never accidentially forgotten to exclude files,
thanks to having a wrapper to remember it for me.

I quite like Raphael's idea of a configuration file (or environment
variables?) to add default options for dpkg-buildpackage and related
tools. It's much nicer to have the functionality in the tools, rather
than in a wrapper, as you then don't have to worry about making sure
that the wrapper is always used.

That said, if you're already using debuild as a wrapper, it could either
be extended, or a wrapper put around it. Either alternative seems much
cleaner than adding these files to dpkg-source.

> 1) In almost any sane situation, building the source package involves
> running the clean rule first.

I think everyone is agreed that a tool like dpkg-source (or rpm, or
tar..) should not execute code from a source package when unpacking it.
It seems counterintuitive for such a tool to execute code from a source
package when doing the inverse operation, and dpkg-source would be the
only such low-level tool that I know of to do that. Combined with it not
explicitly doing it, but only allowing code execution via a regexp, this
has all the earmarks of either being a security hole, or contributing to
one later.

> 2) Someone with slightly more perl-fu than myself could surely write
> some regexp to detect exploit attempts.

Doing so securely requires not just perl-fu, but prescience, since
a) perl tends to add new constructs from time to time
b) new security holes tend to be found in regexp engines from time to time

I believe the following transformation of globs into regexps is
reasonably secure. (I use this in ikiwiki.) I'd be wary of anything more


see shy jo

[1] http://git.kitenet.net/?p=joey/home;a=blob;f=bin/build

Attachment: signature.asc
Description: Digital signature

Reply to: