On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti < michael.zane...@canonical.com> wrote:
> Hi, > > I've just been watching this demo [1] on how to publish click packages. > Looks > very promising! However, one question that comes up here is at the > uploading > step (3:13 in the video): > > The website allows to upload a binary package and a source package. > However, I > can't see any connection between those two. How can I be sure that the > binary > click package indeed contains an unmodified version of the uploaded source > package? From what I can see here I could easily publish some source code > and > then build a malicious package containing some additional bad code. > You will be confined by apparmor here and very limited in the bad things you can do. > Or will the uploaded binary click package be discarded and a new one built > from the source in case the source is uploaded? > There is no debian/rules to say how to build or a debian/control to tell you what else you need for building, so, although not authoritative, my answer would be no. The whole system seems to be friendly for pure interpreted/declarative code or closed source. For what it's worth, I am dealing with an out of band click package builder for the binary dependent packages we produce (i.e.; gallery-app, camera-app, filemanager-app, ...), the equivalents for the how to build would be feeded in and the what you need would be solved by having a base chroot with only the things that are dev packages for the meta ubuntu-touch. Building aside, and not even _store_ related, we also have and also take into account the testing of those as there are no dependencies (I'm more advanced on a temp solution for provisioning devices with what they need in a Ubuntu Image Based Upgrade world but the final solution should be an autopilot driver fully controlled from a host. Cheers (or not ;-) ) Sergio
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
