Re: Recommending get-orig-source for packages ?

To: debian-python@lists.debian.org
Subject: Re: Recommending get-orig-source for packages ?
From: Jakub Wilk <jwilk@debian.org>
Date: Wed, 4 Dec 2013 11:30:01 +0100
Message-id: <[🔎] 20131204103001.GA6986@jwilk.net>
Mail-followup-to: debian-python@lists.debian.org
In-reply-to: <[🔎] 20131204094106.GC22478@an3as.eu>
References: <[🔎] 87d2leos95.fsf@inf-8660.int-evry.fr> <[🔎] CAKTje6EmU_h+MoZqO880+KTxEmbFUorcEiSyW6u0NOgojRkysg@mail.gmail.com> <[🔎] l7m4em$t54$1@ger.gmane.org> <[🔎] CAKTje6HcFkma6+YgyHpUGe_bTo_3PfTRD_dxBEj1EQAWn-U3xg@mail.gmail.com> <[🔎] 20131204074354.GE19682@an3as.eu> <[🔎] 20131204081249.GA9933@jwilk.net> <[🔎] 20131204094106.GC22478@an3as.eu>

* Andreas Tille <andreas@an3as.eu>, 2013-12-04, 10:41:

uscan to grow features for removing files from upstream tarballs, in adeclarative way preferably.
That's in devscripts git and will be included in the next devscriptsversion. (see [1])
So now you'll have to audit both d/watch and d/copyright before you can runuscan. *sigh*

AFAICS they way get_main_source_dir() is currently implemented lets maliciousupstream to plant files in their tarball that would cause arbitrary codeexecution...

Well, there was a lenthy discussion, uscan bug, Wiki page trying to summariseeverything. The people who contributed did not brought up your (and Paul'sconcern) and I guess Charles Plessy would have been in favour of usingd/upstream. I do not think it is my fault if you did not raised you voicewhen it was time ...


https://lists.debian.org/debian-policy/20130116133513.GA4160@jwilk.net

By the way: currently you also have to audit another file in addition tod/watch if you need to exclude some files.

Unless you knew in advance that there's nothing to exclude, which was mostoften the case, and you could guess it just by looking at version.


--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: Recommending get-orig-source for packages ?
  - From: Charles Plessy <plessy@debian.org>
- Re: Recommending get-orig-source for packages ?
  - From: Andreas Tille <andreas@an3as.eu>

References:
- Recommending get-orig-source for packages ?
  - From: Olivier Berger <olivier.berger@telecom-sudparis.eu>
- Re: Recommending get-orig-source for packages ?
  - From: Paul Wise <pabs@debian.org>
- Re: Recommending get-orig-source for packages ?
  - From: Stuart Prescott <stuart@debian.org>
- Re: Recommending get-orig-source for packages ?
  - From: Paul Wise <pabs@debian.org>
- Re: Recommending get-orig-source for packages ?
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Recommending get-orig-source for packages ?
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Recommending get-orig-source for packages ?
  - From: Andreas Tille <andreas@an3as.eu>

Prev by Date: Re: Recommending get-orig-source for packages ?
Next by Date: Re: Recommending get-orig-source for packages ?
Previous by thread: Re: Recommending get-orig-source for packages ?
Next by thread: Re: Recommending get-orig-source for packages ?
Index(es):
- Date
- Thread