On Wed, Oct 17, 2012 at 4:07 PM, Bernhard R. Link <brl...@debian.org> wrote: > * Michael Gilbert <mgilb...@debian.org> [121016 04:59]: >> Anyway, all of these build system path sanitization issues can be >> eliminated by using the buildds for all architectures, since paths >> will start with at least /build that requires root-level action to >> exist on users' systems. > > They are not eliminated by using only buildds. They are only moved > towards people that want to build their privately patched software > then, which is something they have a right to do. A package not > building properly or differently when built in a clean system with > all the build-depended packages installed and all the > build-conflicted packages not installed is a critical bug. > > Recreating binary packages uploaded by maintainers has some merrits, > but this is definitely not one of them...
Really? Take a look the affected isc-dhcp package. The prefix for the amd64 architecture (the one I built and uploaded) is /home/<username>/.... which someone with a <username> account can put code in. The other architectures are /build/build-isc-dhcp.... which does not exist without root creating it at some point. Now that's still not right, but its more of a hurdle for someone trying to take advantage of the issue. Anyway, reading again, I not sure that your reply actually considers build path sanitization problems, which is what my statement was about. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mnu06tmmwz9ntzrnt9vvptkuo+bdx1cp1+rs6thgor...@mail.gmail.com
