On Thu, 12 Apr 2012 10:50:39 -0400, Daniel Macks <dma...@netspace.org> wrote: On Thu, 12 Apr 2012 10:37:23 -0400, Daniel Macks <dma...@netspace.org> wrote: > They each have: > > > > CompileScript: rsync -avr --exclude=dist ./ dist/ > > > > which is a serious flaw. There is no guarantee that the builder > will > have network access. At least as importantly, it means a user > might > get a different ultimate package resuilt because the upstream > > server's contents could change. The whole aim of fink is to give > > reproducible results, which is why we even bother to have Version and > > Revision fields and checksums of the source and patchfiles. These > > packages need to fixed to encapsulate a specific snapshot of the > > files that would be downloaded. Looking further, there is also a sudo > command being run during InstallScript, which is not a valid thing to > do...no guarantee the build-machine will be attended and blocks all > sorts of scripted build processes. There are also chown > commands...seems inconsistent that one would need to sudo if one > already has the power to chown? But even better would be to do the > chown in PostInst, so that the whole build process can run in the > --build-as-nobody sandbox (a mechanism that prevents all sorts of > runaway root-user commands).
My spies tell me that the rsync is safe. I flagged it because every time I tried to build (which failed for the other reasons stated) I saw network access. Stupid coincidences:( So "package is busted but not *that* way". dan -- Daniel Macks dma...@netspace.org ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net List archive: http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel
