On pe, 2008-02-01 at 01:45 +0900, Charles Plessy wrote: > Hi Lars, I do not get your point. > > If you are concerned that the persons who sent you a package to sponsor > have put malicious code in it, what I guess you will first review is > wether the scripts you have to execute to test the packages are safe.
At the moment, I can unpack a source package and then review it before I run anything. You propose to make things more complicated by having to review things before unpacking. I find that to be an unwanted, unnecessary, and _dangerous_ complication. > Shall we conclude that the idea of > automatically applying the patches when the sources are unpacked is > ruled out by the complexity and the side-effect security issues that it > would create ? That is a highly premature conclusion. We can create ways in which patches are applied by dpkg-source directly, for example, instead of having to run code from the package. That's the point of my participation in this sub-thread: to stop the _wrong_ way of implementing this. See David Nusinow's e-mail[1] as an example of an outline for how this can be done sanely. (He refers to Ted Tso's e-mail, and I think it's [2].) [1] http://lists.debian.org/debian-devel/2008/02/msg00003.html [2] http://lists.debian.org/debian-devel/2008/01/msg01008.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
