-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 severity 301607 critical thanks
Hi again, I just discovered that double quotes in long descripions get stripped too, when the auto-update feature is enabled. That specific one is solved with the attached patch. But what worries me most, though, is that the complete control.in file is interpreted as a shell script. What if someone (in good faith) had a small code example included in a long description like this: Don't use this package to do "my_package > /etc/passwd" directly. That wouldn't just break - it would do funny things to your build environment!!! Thank goodness we all always use fakeroot - right? I dare raise the severity of this bug. Yes, I am aware that DEB_AUTO_UPDATE_DEBIAN_CONTROL is an experimental feature, but still it shouldn't be able to cause surprises as fatal as these. I very strongly suggest not to trust the complete debian/control file to be interpreted sanely as a shell script. Let's figure out a way to only mess with explicitly selected lines of the file instead. - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nÃr: http://www.shibumi.org/eoti.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCT6j7n7DbMsAkQLgRAvUjAJwI1q/Ew6uoLAwCIFc0IA4PI6foGACgilia iTyfEDwktlTnNtA/1aytB+c= =IJiJ -----END PGP SIGNATURE-----
--- /usr/share/cdbs/1/rules/buildcore.mk 2005-03-10 13:35:06.000000000 +0100 +++ buildcore.mk 2005-04-03 10:07:28.000000000 +0200 @@ -211,6 +211,7 @@ -e "s/\[cpu: \([^]]*\)\]/\[\`type-handling \\\\\`echo \1 | tr ' ' ','\\\\\` any\`\]/g" \ -e "s/\[system: \([^]]*\)\]/\[\`type-handling any \\\\\`echo \1 | tr ' ' ','\\\\\`\`\]/g" \ \ + -e "s/\"/\\\\\"/g" \ -e "s/^/echo \"/g" \ -e "s/\\$$/\\\\$$/g" \ -e "s/$$/\"/g" \
