Packaging Guidelines: Why so lax for BuildRoot?
Stephen John Smoogen
smooge at gmail.com
Sun Mar 23 19:16:12 UTC 2008
On Sat, Mar 22, 2008 at 10:30 PM, Tom Lane <tgl at redhat.com> wrote:
> Kevin Kofler <kevin.kofler at chello.at> writes:
> > From a security standpoint, all those variants are flawed though (even the
> > mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak
> > to fix the mess:
> > http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot
> > but so far it's just a proposal.
> It's 100% nuts that the BuildRoot tag even exists. This is something
> that could and should be handled by intelligence inside rpmbuild,
> with no need to try to herd developers into agreeing on whatever the
> theory-of-the-month is.
> Expecting specfiles to rm -rf the buildroot is just as stupid.
> I don't grasp why anyone is thinking that hundreds (thousands?) of
> Fedora developers should deal with these things, rather than fixing it
> once in RPM itself.
Because Tradition is a hard nut to break. When the rules for doing
that were put into spec files back oh in RHL-3? RHL-4? it cleaned up a
lot of problems where people would get bad build roots otherwise.
While the problem is fixed in the general case of people using mock
etc for building packages.. that is a short time in the life of RPM
spec files. If you have been putting it in for 10+ years or you are
copying someone who has been doing it for 10+ years.. you are going to
keep stuff around.. because it made sense at one point, and you know
of some squirrelly corner case in xyz rpm where it is still needed.
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the devel