On Thu, May 15, 2014 at 11:41:36PM -0400, Nathan Scott wrote: > Hi Aurelien, > > | On i386, pcp ships the upstream binary src/pmdas/mmv/mmvdump into > | /var/lib/pcp/pmdas/mmv/mmvdump without rebuilding it. This violates > | Debian policy and might be used by upstream to introduce backdoors or > | other security issues. > > What gives that impression? It seems to not be the case to me, > there is clearly code, makefile and no binary in the source tar > ball... > > $ tar tzf ~/SOURCES/pcp-3.9.2.src.tar.gz | grep mmvdump > pcp-3.9.2/src/pmdas/mmv/mmvdump.c
You are looking at the upstream tarball. Given you repackage it (which probably warrants another bug report), you include some additionbal binaries. wget http://snapshot.debian.org/archive/debian/20140416T053134Z/pool/main/p/pcp/pcp_3.9.2.tar.xz $ tar tvfJ pcp_3.9.2.tar.xz | grep mmvdump -rwxr-xr-x 0/0 27908 2014-03-28 10:28 pcp-3.9.2/src/pmdas/mmv/mmvdump -rw-r--r-- 0/0 8951 2014-01-09 00:29 pcp-3.9.2/src/pmdas/mmv/mmvdump.c Of course, this has silently been fixed in version 3.9.4 without any mention in the changelog. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
