Bug#845715: Required targets must not write outside of the source package tree

To: Johannes Schauer <josch@debian.org>, 845715@bugs.debian.org
Subject: Bug#845715: Required targets must not write outside of the source package tree
From: Bill Allombert <ballombe@debian.org>
Date: Sun, 11 Nov 2018 11:41:34 +0100
Message-id: <[🔎] 20181111104134.deyb6zuziclilrch@yellowpig>
Reply-to: Bill Allombert <ballombe@debian.org>, 845715@bugs.debian.org
In-reply-to: <[🔎] 87r2fs5lgc.fsf@hephaestus.silentflame.com>
References: <148013126214.5727.2833489398483306064.reportbug@localhost> <[🔎] 87k1luuf1s.fsf@iris.silentflame.com> <148013126214.5727.2833489398483306064.reportbug@localhost> <[🔎] 87woptdiwa.fsf@hope.eyrie.org> <148013126214.5727.2833489398483306064.reportbug@localhost> <[🔎] 20181103224251.b346wwggiykr4xmx@yellowpig> <[🔎] 87r2fs5lgc.fsf@hephaestus.silentflame.com> <148013126214.5727.2833489398483306064.reportbug@localhost>

On Sat, Nov 10, 2018 at 08:42:27PM -0700, Sean Whitton wrote:
> Hello,
> 
> On Sat 03 Nov 2018 at 11:42PM +0100, Bill Allombert wrote:
> 
> >> How about:
> >>
> >>     As an exception, required targets may write to the directory specified
> >>     by the ``TMPDIR`` environment variable (or ``/tmp`` if that is not
> >>     set), provided that files created in that directory are deleted before
> >>     the target completes and are not reused by subsequent executions of
> >>     the target.
> >>
> >> This explicitly states that this is an environment variable and makes it
> >> clear that it refers to a directory.
> >
> > I may be wrong but I expect that a lot of packages targets leaves stray
> > files and directory in /tmp (that are created by mktemp but not removed)
> > but not reused, and also that some of them fail to honor TMPDIR.
> >
> > Do we have some data about this ?
> 
> There isn't any data about this that I know of.
> 
> The patch says
> 
>     provided that files created in that directory are deleted before the
>     target completes and are not reused by subsequent executions of the
>     target.
> 
> rather than
> 
>     but files created in that directory must be deleted before the
>     targets completes and must not be reused by subsequent executions of
>     the target.

I am not sure I see the difference. Do you imply something like

     but files created in that directory SHOULD be deleted before the
     targets completes and MUST not be reused by subsequent executions of
     the target.

> so I don't think applying this patch would make a package RC-buggy
> simply because it left some things behind in /tmp.

This is my concern, yes.

> On the other hand, if a package built differently the second time
> because of some things left behind in /tmp, that would surely already be
> considered to be a bug, possibly RC, depending on what the differences
> were.

Oh, of course I agree with that.

What about the severity of using /tmp even if TMPDIR is set ?
I do not think it is RC outside of the build process so it would
be inconvenient.

(note that if everything honor TMPDIR, the issue of stray tmpfiles
is easily fixed by 
export TMPDIR=`mktemp -d`
...
rm -r $TMPDIR
unset TMPDIR
)

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Reply to:

Follow-Ups:
- Bug#845715: Required targets must not write outside of the source package tree
  - From: Sean Whitton <spwhitton@spwhitton.name>

References:
- Bug#845715: Required targets must not write outside of the source package tree
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Bug#845715: Required targets must not write outside of the source package tree
  - From: Russ Allbery <rra@debian.org>
- Bug#845715: Required targets must not write outside of the source package tree
  - From: Bill Allombert <ballombe@debian.org>
- Bug#845715: Required targets must not write outside of the source package tree
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Bug#690750: Broken links in developers-reference as published on the Debian's website
Next by Date: Bug#824495: debian-policy: Source packages "can" declare relationships
Previous by thread: Bug#845715: Required targets must not write outside of the source package tree
Next by thread: Bug#845715: Required targets must not write outside of the source package tree
Index(es):
- Date
- Thread