On Sat, Aug 20, 2005 at 11:47:51PM +0100, Mark Seaborn wrote: > "Roberto C. Sanchez" <roberto@familiasanchez.net> wrote: > > On Sat, Aug 20, 2005 at 03:01:40PM +0100, Mark Seaborn wrote: > > > I'm looking for a sponsor for putting Plash into Debian. > > > The main page is: http://plash.beasts.org > > > and Debian packages are at: > > > http://www.cs.jhu.edu/~seaborn/plash/plash_1.11_i386.deb > > > http://savannah.nongnu.org/download/plash/plash_1.11.dsc > > > http://savannah.nongnu.org/download/plash/plash_1.11.tar.gz > > > (The Debian source package contains a copy of glibc 2.3.3, which is > > > 13Mb, but the source for Plash itself is only 200k.) > > Why? This is a sure-fire way to make sure a package is not accepted. > How else am I supposed to do it? It needs the glibc source to build. > Is there a way for a source package to use the contents of another > source package, such as Debian's existing glibc package? Even if > there was, this is not very helpful, because Debian includes glibc > 2.3.2. *Why* does it need the glibc source to build? Does it need *all* of the source, or is there some way to get its size down to a sane level? Why does it use a modified version of glibc, instead of intercepting library calls using an LD_PRELOADed wrapper? Is this because a user could unset the LD_PRELOAD variable to escape the environment? If that's the case, what happens if a user copies their own libc.so.6 into the chroot and tells the dynamic linker to use *that*? Including a full copy of glibc in this package also means that it will be affected by the same security holes that affect the main glibc package, and you say that it doesn't even use the same base version of glibc. I don't think the security team will go for this. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature