Request for Review: dhcp-forwarder, dietlibc, ip-sentinel, util-vserver + xca
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed Mar 30 16:45:37 UTC 2005
bugs.michael at gmx.net (Michael Schwendt) writes:
>> > Source0: http://download.sourceforge.net/sourceforge/xca/%name-%version.tar.gz
>> > I think it's prefered to list the exact name-version in there instead
>> > of macros.
>>
>> Sorry, I will not change it as it adds redundancy and seduces reviewers
>> to copy & paste this URL without verifying its correctness.
> ...
> The Source URLs--if not SF.net--give no hint whether the download location
> belongs to the upstream project. Serious reviewers would need to start at
> Google (or the "URL:" tag) for full verification of tarball origins
> anyway.
Exactly. That's why, copy & pasteable URLs are of no use: serious
reviewers have to find out/verify the correct URL nevertheless, they
are a burden for the packager and buildsystem works with both.
>> > BuildRoot: %_tmppath/%name-%version-%release-buildroot
>> > The prevered value is
>> > "%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)"
>>
>> There is no big difference except the '%(%{__id_u} -n)' which does not
>> make much sense but adds complexity and gives a false feeling about
>> security. You have always a race between
>
> If memory serves correctly, the %__id_u thing was not for added
> security, but a somewhat sane default for multi-user environments
"multi-user environments" implicates security measures. Both buildroots
(with and without the %__id_u thing) are providing the same security. With
insecure (world-writable) %_tmppath, both are insecure, and with a secure
%_tmppath, both are secure. "Secure %_tmppath" implicates some
personalization (e.g. /var/tmp/.kde.<uid>). %__id_u is redundant to this
personalization and can be omitted therefore.
Enrico
More information about the fedora-extras-list
mailing list