Re: dpkg patch

To: Ryan Lortie <desrt@desrt.ca>
Cc: debian-dpkg@lists.debian.org
Subject: Re: dpkg patch
From: Joey Hess <joeyh@debian.org>
Date: Sat, 3 Nov 2007 16:23:11 -0400
Message-id: <20071103202311.GA7970@kitenet.net>
In-reply-to: <1194066390.6317.14.camel@swansea>
References: <1194023420.9370.1.camel@swansea> <20071102215512.GA18519@kitenet.net> <1194066390.6317.14.camel@swansea>

Ryan Lortie wrote:
> The reason for these files is obviously to avoid the need to remember to
> type -I or -i every time.

>   3) debuild

The obvious way to solve needing to type -I and -i every time is to use
a wrapper, such as debuild, to do it. 

I've been using a personal "build" wrapper[1] for 9 years, to do just
that, and AFAIK I have never accidentially forgotten to exclude files,
thanks to having a wrapper to remember it for me.

I quite like Raphael's idea of a configuration file (or environment
variables?) to add default options for dpkg-buildpackage and related
tools. It's much nicer to have the functionality in the tools, rather
than in a wrapper, as you then don't have to worry about making sure
that the wrapper is always used.

That said, if you're already using debuild as a wrapper, it could either
be extended, or a wrapper put around it. Either alternative seems much
cleaner than adding these files to dpkg-source.

> 1) In almost any sane situation, building the source package involves
> running the clean rule first.

I think everyone is agreed that a tool like dpkg-source (or rpm, or
tar..) should not execute code from a source package when unpacking it.
It seems counterintuitive for such a tool to execute code from a source
package when doing the inverse operation, and dpkg-source would be the
only such low-level tool that I know of to do that. Combined with it not
explicitly doing it, but only allowing code execution via a regexp, this
has all the earmarks of either being a security hole, or contributing to
one later.

> 2) Someone with slightly more perl-fu than myself could surely write
> some regexp to detect exploit attempts.

Doing so securely requires not just perl-fu, but prescience, since
a) perl tends to add new constructs from time to time
b) new security holes tend to be found in regexp engines from time to time

I believe the following transformation of globs into regexps is
reasonably secure. (I use this in ikiwiki.) I'd be wary of anything more
powerful.

	$regexp=quotemeta($glob);
	$regexp=~s/\\\*/.*/g;
	$regexp=~s/\\\?/./g;

-- 
see shy jo

[1] http://git.kitenet.net/?p=joey/home;a=blob;f=bin/build

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: dpkg patch
  - From: Adeodato Simó <dato@net.com.org.es>

References:
- dpkg patch
  - From: Ryan Lortie <desrt@desrt.ca>
- Re: dpkg patch
  - From: Joey Hess <joeyh@debian.org>
- Re: dpkg patch
  - From: Ryan Lortie <desrt@desrt.ca>

Prev by Date: Re: dpkg patch
Next by Date: Re: dpkg patch
Previous by thread: Re: dpkg patch
Next by thread: Re: dpkg patch
Index(es):
- Date
- Thread