Note that this script contains a temp file security hole:
dir=/tmp
...
tar -C "$temp" -czf "$dir/${name}_$version.orig.tar.gz" "$name-$version.orig"This can be attacked via a standard symlink attack to overwrite arbitrary files. BTW, you said it doesn't touch the orignical tree, but this line does: find "$temp" -name CVS | xargs rm -rf And could be quite annoying for someone running the script in a cvs checkout. This seems like a very special purpose script to however you mantain your packages and does not seem generally suitable to be included in devscripts to me. I recognise this kind of thing, as I have quite a lot of similar scripts of my own and getting them cleaned up, generalised, and suitable for devscripts is not trivial. In general, most people who are building a debian package sans upstream tarball can already use dpkg-source's automatic generation of a tarball. -- see shy jo
signature.asc
Description: Digital signature
