[Pkg-octave-devel] Unreproducible builds
Sébastien Villemot
sebastien at debian.org
Sat Oct 24 21:03:55 UTC 2015
[sending reply again, hopefully correct this time]
Le lundi 19 octobre 2015 à 17:52 +0200, Rafael Laboissiere a écrit :
> * Sébastien Villemot <sebastien at debian.org> [2015-10-19 15:09]:
>
> > I was just wondering if this change does not introduce a security
> > issue
> > (it is usually considered bad practice to use predictable
> > directories
> > under /tmp, because /tmp is write-all and a malicious user could
> > exploit this). I therefore don't know if it is acceptable to use
> > such a
> > predictable directory under /tmp for building Debian packages.
>
> I think you are right, predictable filenames in /tmp must be avoided
> in
> the build process. Would it be acceptable to create a build
> directory in
> /var/cache?
I think this is not acceptable, because the package would only be
buildable as root (while packages are usually built with fakeroot).
--
.''`. Sébastien Villemot
: :' : Debian Developer
`. `' http://sebastien.villemot.name
`- GPG Key: 4096R/381A7594
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-octave-devel/attachments/20151024/009309e1/attachment.sig>
More information about the Pkg-octave-devel
mailing list