[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please try expo.debian.net -- a replacement for mentors.debian.net

Hi Asheesh,

On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote:
> On Tue, 26 Jul 2011, Kilian Krause wrote:
> >* whether or not the orig.tar.gz is original
> How do we detect this programmatically?

Thanks for taking the time to even explain that detailled how to get the
code working in the new way we're all proposing! That's an awesome help for
any of us having the free time to actually code something together and lend
this new project a helping hand!

As for the above, I'll happily throw in the technical background I had in

- detect whether debian/watch is there and useful
- if so and if the version is not mangled (like ~dfsg etc.), run uscan
  --force-download in a patched version that does not involve uupdate or
  svn-update (i.e. does call any programs that an "attacker" might want to
  turn against us)
- diff that against the orig.tar.* uploaded
- if different, put up a warning, unpack both and list the diff -urN if any

I'm not entirely sure if we want to run get-orig-source targets to rebuild
~dfsg tarballs and compare them. Or rather how we could sandbox that process
to make sure we're on the safe side but still don't allow any attacker to
abuse the system.

Best regards,

Attachment: signature.asc
Description: Digital signature

Reply to: