[Pkg-octave-devel] Unreproducible builds
Rafael Laboissiere
rafael at laboissiere.net
Mon Oct 19 15:52:40 UTC 2015
* Sébastien Villemot <sebastien at debian.org> [2015-10-19 15:09]:
> I was just wondering if this change does not introduce a security issue
> (it is usually considered bad practice to use predictable directories
> under /tmp, because /tmp is write-all and a malicious user could
> exploit this). I therefore don't know if it is acceptable to use such a
> predictable directory under /tmp for building Debian packages.
I think you are right, predictable filenames in /tmp must be avoided in
the build process. Would it be acceptable to create a build directory in
/var/cache?
It is too bad that the "pkg install" command makes a copy like this:
copyfile (tgz, tmpdir)
where tgz, in our case, is ".". This means that a tmpdir created in the
debian/ directory will not work, because of the infinite recursion.
Rafael
More information about the Pkg-octave-devel
mailing list