On Wed, 18 Aug 2010, Iustin Pop wrote:
> First, thanks for reporting this. But I cannot reproduce this on
> unstable (in a clean pbuilder chroot), since the python-setuptools
> is new enough (for sid).
>
> While the behaviour of stable builds is not good (and the versioned
> dependency is incorrect), I don't think it warrants an RC status for
> this bug, as it doesn't affect sid/testing.
> Please explain why you think this is RC... My proposal would be degrade to
> important, while I try to convince setuptools to do the right thing.
I think debian packages, and that includes their source, should be
secure by default. If trying to build a package in a slightly different
environment suddenly starts to do insanely insecure things then that'd a
bug. Failing to build is fine, downloading code from the net and then
running it without any kind of verification probably isn't.
It might not be something we can fix for this release, but I think this
is a significant security bug in the source package.
Cheers,
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
