Le Fri, Feb 01, 2008 at 11:42:49AM +0200, Lars Wirzenius a écrit : > > At the moment, I can unpack a source package and then review it before I > run anything. You propose to make things more complicated by having to > review things before unpacking. I find that to be an unwanted, > unnecessary, and _dangerous_ complication. > We can create ways in which > patches are applied by dpkg-source directly, for example, instead of > having to run code from the package. That's the point of my > participation in this sub-thread: to stop the _wrong_ way of > implementing this.
Hi Lars, hi all, Of course, the idea of having dpkg-source applying the relevant patches trough its own routines is better than having it calling 'debian/rules patch', for the security reasons you explained before. I have reviewed bug #250202, which was nicely summarised by Russ Allbery in early January, and tried to update the summary of our discussion on the wiki and to integrate ideas from bug #250202. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=250202#335 http://wiki.debian.org/debian/patches As said before, the direction that is currently taken at the Policy level would be to require documenting how to "make the source ready for editing" in a file called README.source. It would be recommended to implement a 'patched' target that would take care of this. The security issue you raised has also been noted in #250202, therefore it is not proposed to automate the calling of this rule (in addition, it would require to know the build-dependancies before unpacking, which is not convenient). So I guess that if you like your idea of implementing patching natively in dpkg-source, it is recommended to contribute it to the discussion of bug #250202. There is another possibility that has been suggested, which is to build the source package with the patched sources. An immediate side-effect of this is that it overloads the .diff.gz, but such kind of overloading has apparently been tolerated in other cases, in particular for packages using autoconf/autmake, so why not? Lastly, I would like to ask a quesiton about Wig&Pen: as it would be illegal to provide both a .diff.gz and a .debian.tar.gz file at the same time (http://www.dpkg.org/dpkg/NewSourceFormat), it seems that it matches well the debian/patches workflow, except that the trick of patching the sources at clean time would not work anymore. But the biggest problem may be that unless I missed something, there was no clear answer when it was asked if somebody was woring on Wig&Pen. Is there sombody working on Wig&Pen? Is the format consensual enough that it would be accepted in Debian? Have a nice day, -- Charles Plessy http://charles.plessy.org Wakō, Saitama, Japan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]