Packaging Guidelines: Why so lax for BuildRoot?
Stephen John Smoogen
smooge at gmail.com
Sun Mar 23 19:16:12 UTC 2008
On Sat, Mar 22, 2008 at 10:30 PM, Tom Lane <tgl at redhat.com> wrote:
> Kevin Kofler <kevin.kofler at chello.at> writes:
> > From a security standpoint, all those variants are flawed though (even the
> > mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak
> > to fix the mess:
> > http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot
> > but so far it's just a proposal.
>
> It's 100% nuts that the BuildRoot tag even exists. This is something
> that could and should be handled by intelligence inside rpmbuild,
> with no need to try to herd developers into agreeing on whatever the
> theory-of-the-month is.
>
> Expecting specfiles to rm -rf the buildroot is just as stupid.
>
> I don't grasp why anyone is thinking that hundreds (thousands?) of
> Fedora developers should deal with these things, rather than fixing it
> once in RPM itself.
>
Because Tradition is a hard nut to break. When the rules for doing
that were put into spec files back oh in RHL-3? RHL-4? it cleaned up a
lot of problems where people would get bad build roots otherwise.
While the problem is fixed in the general case of people using mock
etc for building packages.. that is a short time in the life of RPM
spec files. If you have been putting it in for 10+ years or you are
copying someone who has been doing it for 10+ years.. you are going to
keep stuff around.. because it made sense at one point, and you know
of some squirrelly corner case in xyz rpm where it is still needed.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the fedora-devel-list
mailing list