Re: [Pkg-octave-devel] Unreproducible builds

To: pkg-octave-devel@lists.alioth.debian.org
Subject: Re: [Pkg-octave-devel] Unreproducible builds
From: Rafael Laboissiere <rafael@laboissiere.net>
Date: Mon, 19 Oct 2015 17:52:40 +0200
Message-id: <[🔎] 20151019155240.GA29690@laboissiere.net>
Mail-followup-to: pkg-octave-devel@lists.alioth.debian.org
In-reply-to: <[🔎] 1445260164.3375.21.camel@debian.org>
References: <[🔎] 20151016191026.GP5935@laboissiere.net> <[🔎] 1445260164.3375.21.camel@debian.org>

* Sébastien Villemot <sebastien@debian.org> [2015-10-19 15:09]:

I was just wondering if this change does not introduce a security issue(it is usually considered bad practice to use predictable directoriesunder /tmp, because /tmp is write-all and a malicious user couldexploit this). I therefore don't know if it is acceptable to use such apredictable directory under /tmp for building Debian packages.

I think you are right, predictable filenames in /tmp must be avoided inthe build process. Would it be acceptable to create a build directory in/var/cache?


It is too bad that the "pkg install" command makes a copy like this:

   copyfile (tgz, tmpdir)

where tgz, in our case, is ".". This means that a tmpdir created in thedebian/ directory will not work, because of the infinite recursion.


Rafael

Reply to:

Follow-Ups:
- Re: [Pkg-octave-devel] Unreproducible builds
  - From: Sébastien Villemot <sebastien@debian.org>
- Re: [Pkg-octave-devel] Unreproducible builds
  - From: Sébastien Villemot <sebastien@debian.org>

References:
- [Pkg-octave-devel] Unreproducible builds
  - From: Rafael Laboissiere <rafael@laboissiere.net>
- Re: [Pkg-octave-devel] Unreproducible builds
  - From: Sébastien Villemot <sebastien@debian.org>

Prev by Date: Re: [Pkg-octave-devel] Unreproducible builds
Next by Date: [Pkg-octave-devel] [RFU] octave-symbolic 2.2.2-2
Previous by thread: Re: [Pkg-octave-devel] Unreproducible builds
Next by thread: Re: [Pkg-octave-devel] Unreproducible builds
Index(es):
- Date
- Thread