Packaging Guidelines: Why so lax for BuildRoot?
Matt Domsch
Matt_Domsch at dell.com
Sun Mar 23 00:54:14 UTC 2008
On Sat, Mar 22, 2008 at 11:40:30PM +0000, Kevin Kofler wrote:
> Stephen Warren <s-t-rhbugzilla <at> wwwdotorg.org> writes:
> > I'm curious why the packaging guidelines aren't more specific re: the
> > requirements for the BuildRoot tag.
>
> Because there were endless fights over which of the 3 BuildRoots now listed is
> the right one, so they ended up just allowing all 3 as a compromise to stop the
> fights. By the way, the first one (the mktemp) is listed as preferred, but the
> second one is actually the one used by almost all packages (partly for
> historical reasons, it used to be the one which was mandated).
>
> >From a security standpoint, all those variants are flawed though (even the
> mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak
> to fix the mess:
> http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot
> but so far it's just a proposal.
polyinstantiated namespaces such as /tmp could solve the race cleanly
too. Mock already knows how to do namespaces...
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
More information about the fedora-devel-list
mailing list