On to, 2008-01-31 at 23:17 +0900, Charles Plessy wrote: > I do not know if it would be reasonnable to extend the scope of the > discussion to third-party packages.
Third-party packages such as... sponsored uploads? The process you propose for verifying that a source package can be safely unpacked is complicated and error-prone and wrong[1], so I don't think we should consider it as a solution. That sounds harsh, and I apologize for that, but I cannot see a way to express it more politely without leaving room for negotation for refinements. I cannot see a reason to change the Debian source package format and its unpacking procedure such that it becomes less safe to do than it is now. I'd rather continue the current madness of having a dozen different ways of getting the source patched and ready for changing. Safety and security before convenience. [1] It's not enough to examine the .diff.gz before unpacking to see what unpacking will do. The troublesome files may be in the .orig.tar.gz as well. So essentially one would need to do a full code review before unpacking. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]