Ian Jackson said: > Supposing I don't trust anything. How am I to examine the source > package ? For example, I might like to unpack it and do a diff > against a source tree I have checked more thoroughly. > [...] > If I have a packaging format that I can extract using a standard tool > that I know doesn't `execute' the contents of the archive then common > sense says that I'm not putting much more at risk than the target > directory of the unpack. > > I shouldn't need to get into verifying the authenticity of packages > and using PGP keys and what not just to *unpack* an archive ! > Likewise, I shouldn't need to drag half a dozen people into my trust > envelope just to look at a pile of source code.
"Andrew D. Fernandes" <[EMAIL PROTECTED]> said: > I *strongly* **strongly** agree with this. A short while ago, I was > playing with some shell script installers for a tex package... the > damn thing blasted away my personal ~/local/bin without a thought! Ian that says we shouldn't preclude paranoia. Andrew makes the case that paranoia can be a good thing, citing an example which caused him problems because of insufficient paranoia. Leaving aside the question of malicious intent (PGP security on uploads is eventually supposed to screen out all but those considered trustable to be without malicious intent, as I understand it), we're talking mainly about executing src-package unpacking and debianizing shell scripts which were written by (some unacceptably large number of) others and may have been written without sufficient thought by those others. A mistake, or a system-specific assumption, on the script-writer's part can cause problems for the person executing the script on a different system. It seems to me that the paranoid can unpack source packages in a clean directory as an ordinary user. That ought to insulate them from most of the potential damage. It also seems to me that we already accept essentially this exact same problem with binary package pre- and post- scripts. In fact, the problem in that case is much worse, since those scripts are always executed as root. The seriously paranoid can manually extract the binary package control components, of course, and examine the scripts before installing the package. This same option would be available to the seriously paraniod with regard to internal source package scripts used for unpacking and debianizing the sources they contain. Hmmmmmm...... Just unpacking the package tarfiles as root in the process of binary package installation can be dangerous. Wasn't there a package floating around for a while which would clobber /etc/passwd by unpacking over it if the package was installed, and a base.deb version which installed a /sbin/unconfigured.sh script -- causing system to think it had not yet been configured on reboots following installation of that package,? Of course, the seriously paranoid can always carefully investigate binary package contents before installing a binary package as well. The bottom line, I guess, is that I see less serious potential problems with the proposed source package scripts than I see with the already accepted and widely used binary package mechanisms. If we're to be paranoid, it seems to me that we ought to direct our paranoia to binary packages before source packages, because of the relative ease with which potential damage from unpacking source packages can be minimized as compared with the difficulty of minimizing the potential damage from installing binary packages.
