Hi Asheesh, On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote: > On Tue, 26 Jul 2011, Kilian Krause wrote: [...] > >* whether or not the orig.tar.gz is original > > How do we detect this programmatically? Thanks for taking the time to even explain that detailled how to get the code working in the new way we're all proposing! That's an awesome help for any of us having the free time to actually code something together and lend this new project a helping hand! As for the above, I'll happily throw in the technical background I had in mind: - detect whether debian/watch is there and useful - if so and if the version is not mangled (like ~dfsg etc.), run uscan --force-download in a patched version that does not involve uupdate or svn-update (i.e. does call any programs that an "attacker" might want to turn against us) - diff that against the orig.tar.* uploaded - if different, put up a warning, unpack both and list the diff -urN if any I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox that process to make sure we're on the safe side but still don't allow any attacker to abuse the system. -- Best regards, Kilian
Attachment:
signature.asc
Description: Digital signature