Re: Please try expo.debian.net -- a replacement for mentors.debian.net

[Asheesh Laroia <asheesh@asheesh.org>]

On Tue, 26 Jul 2011, Kilian Krause wrote:

> Hi Asheesh,
>
> On Tue, Jul 26, 2011 at 04:01:26PM -0400, Asheesh Laroia wrote:
> > On Tue, 26 Jul 2011, Kilian Krause wrote:
> [...]
> > > * whether or not the orig.tar.gz is original
> >
> > How do we detect this programmatically?
>
> Thanks for taking the time to even explain that detailled how to get the
> code working in the new way we're all proposing! That's an awesome help for
> any of us having the free time to actually code something together and lend
> this new project a helping hand!
>
> As for the above, I'll happily throw in the technical background I had in
> mind:
>
> - detect whether debian/watch is there and useful
> - if so and if the version is not mangled (like ~dfsg etc.), run uscan
>  --force-download in a patched version that does not involve uupdate or
>  svn-update (i.e. does call any programs that an "attacker" might want to
>  turn against us)
> - diff that against the orig.tar.* uploaded
> - if different, put up a warning, unpack both and list the diff -urN if any

Out loud, I just found myself saying: "Whoooooaaaa so cool!"

That would be pretty awesome. I would completely love to see that.

> I'm not entirely sure if we want to run get-orig-source targets to 
> rebuild ~dfsg tarballs and compare them. Or rather how we could sandbox 
> that process to make sure we're on the safe side but still don't allow 
> any attacker to abuse the system.

To do get-orig-source would be pretty amazingly great. You're right that 
safety would a challenge when running code from within the debian/rules 
file.

It would be pretty superb to lock that process into a chroot. I would 
suggest using something like sbox 
<http://packages.debian.org/lenny/sbox-dtc> to do it.

-- Asheesh.