[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please try expo.debian.net -- a replacement for mentors.debian.net

On Tue, 26 Jul 2011, Kilian Krause wrote:

Hi Asheesh,

On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote:
On Tue, 26 Jul 2011, Kilian Krause wrote:
* whether or not the orig.tar.gz is original

How do we detect this programmatically?

Thanks for taking the time to even explain that detailled how to get the
code working in the new way we're all proposing! That's an awesome help for
any of us having the free time to actually code something together and lend
this new project a helping hand!

As for the above, I'll happily throw in the technical background I had in

- detect whether debian/watch is there and useful
- if so and if the version is not mangled (like ~dfsg etc.), run uscan
 --force-download in a patched version that does not involve uupdate or
 svn-update (i.e. does call any programs that an "attacker" might want to
 turn against us)
- diff that against the orig.tar.* uploaded
- if different, put up a warning, unpack both and list the diff -urN if any

Out loud, I just found myself saying: "Whoooooaaaa so cool!"

That would be pretty awesome. I would completely love to see that.

I'm not entirely sure if we want to run get-orig-source targets to rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox that process to make sure we're on the safe side but still don't allow any attacker to abuse the system.

To do get-orig-source would be pretty amazingly great. You're right that safety would a challenge when running code from within the debian/rules file.

It would be pretty superb to lock that process into a chroot. I would suggest using something like sbox <http://packages.debian.org/lenny/sbox-dtc> to do it.

-- Asheesh.

Reply to: