Packaging Guidelines: Why so lax for BuildRoot?

[Stephen John Smoogen]

On Sat, Mar 22, 2008 at 10:30 PM, Tom Lane <tgl at redhat.com> wrote:
> Kevin Kofler <kevin.kofler at chello.at> writes:
>  > From a security standpoint, all those variants are flawed though (even the
>  > mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak
>  > to fix the mess:
>  > http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot
>  > but so far it's just a proposal.
>
>  It's 100% nuts that the BuildRoot tag even exists.  This is something
>  that could and should be handled by intelligence inside rpmbuild,
>  with no need to try to herd developers into agreeing on whatever the
>  theory-of-the-month is.
>
>  Expecting specfiles to rm -rf the buildroot is just as stupid.
>
>  I don't grasp why anyone is thinking that hundreds (thousands?) of
>  Fedora developers should deal with these things, rather than fixing it
>  once in RPM itself.
>

Because Tradition is a hard nut to break. When the rules for doing
that were put into spec files back oh in RHL-3? RHL-4? it cleaned up a
lot of problems where people would get bad build roots otherwise.
While the problem is fixed in the general case of people using mock
etc for building packages.. that is a short time in the life of RPM
spec files. If you have been putting it in for 10+ years or you are
copying someone who has been doing it for 10+ years.. you are going to
keep stuff around.. because it made sense at one point, and you know
of some squirrelly corner case in xyz rpm where it is still needed.


-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"