[Pkg-octave-devel] Unreproducible builds
Sébastien Villemot
sebastien at debian.org
Mon Oct 19 13:09:24 UTC 2015
Le vendredi 16 octobre 2015 à 21:10 +0200, Rafael Laboissiere a écrit :
> Several DOG packages have unreproducible builds [1], due to the way
> "pkg
> install" works by creating a temporary build diretory, whose name is
> randomly chosen [2].
>
> I found a way to get around this problem by changing the code in
> otave-pkg.mk from the octave-pkg-dev package, according to the patch
> attached to this message. It is not very elegant, but it seems to
> work
> well. Unless there are objections or someone finds a better
> solution, I
> will commit this change.
Thanks for caring about this.
I was just wondering if this change does not introduce a security issue
(it is usually considered bad practice to use predictable directories
under /tmp, because /tmp is write-all and a malicious user could
exploit this). I therefore don't know if it is acceptable to use such a
predictable directory under /tmp for building Debian packages. You
should probably ask the Security Team or debian-devel at l.d.o.
--
.''`. Sébastien Villemot
: :' : Debian Developer
`. `' http://sebastien.villemot.name
`- GPG Key: 4096R/381A7594
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-octave-devel/attachments/20151019/f8231eaa/attachment.sig>
More information about the Pkg-octave-devel
mailing list