----- Original Message ----- > On Thu, May 15, 2014 at 11:41:36PM -0400, Nathan Scott wrote: > > Hi Aurelien, > > > > | On i386, pcp ships the upstream binary src/pmdas/mmv/mmvdump into > > | /var/lib/pcp/pmdas/mmv/mmvdump without rebuilding it. This violates > > | Debian policy and might be used by upstream to introduce backdoors or > > | other security issues. > > > > What gives that impression? It seems to not be the case to me, > > there is clearly code, makefile and no binary in the source tar > > ball... > > > > $ tar tzf ~/SOURCES/pcp-3.9.2.src.tar.gz | grep mmvdump > > pcp-3.9.2/src/pmdas/mmv/mmvdump.c > > You are looking at the upstream tarball. Given you repackage it (which > probably warrants another bug report), you include some additionbal > binaries.
*nod* - before 3.9.4 this was sort-of the case (the source tarball is generated during the build from makefiles) and this is now done differently again (3.9.4+), using git to generate the src.tar.gz, but anyway ... ultimately, there was never any intention to ship binaries accidentally this way, and it was accidentally resolved by the git-archive transition in 3.9.4. And confusion on my end resulted from looking at the 3.9.2 source tarball generated from a different build - you are correct. > wget > http://snapshot.debian.org/archive/debian/20140416T053134Z/pool/main/p/pcp/pcp_3.9.2.tar.xz *nod*, my mistake - and as mentioned, 3.9.4 has kindly fixed this up for us as a by-product of other changes. > Of course, this has silently been fixed in version 3.9.4 without any > mention in the changelog. *nod* - it was not a known issue at that time. Hope this helps sort things out; I guess at the end of the day, on this bug at least, alls well that ends well. thanks Aurelien. -- Nathan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
