Le vendredi 16 octobre 2015 à 21:10 +0200, Rafael Laboissiere a écrit : > Several DOG packages have unreproducible builds [1], due to the way > "pkg > install" works by creating a temporary build diretory, whose name is > randomly chosen [2]. > > I found a way to get around this problem by changing the code in > otave-pkg.mk from the octave-pkg-dev package, according to the patch > attached to this message. It is not very elegant, but it seems to > work > well. Unless there are objections or someone finds a better > solution, I > will commit this change. Thanks for caring about this. I was just wondering if this change does not introduce a security issue (it is usually considered bad practice to use predictable directories under /tmp, because /tmp is write-all and a malicious user could exploit this). I therefore don't know if it is acceptable to use such a predictable directory under /tmp for building Debian packages. You should probably ask the Security Team or debian-devel@l.d.o. -- .''`. Sébastien Villemot : :' : Debian Developer `. `' http://sebastien.villemot.name `- GPG Key: 4096R/381A7594
Attachment:
signature.asc
Description: This is a digitally signed message part