On Apr 12, 2012, at 9:01 PM, Daniel Macks wrote: > On Thu, 12 Apr 2012 10:50:39 -0400, Daniel Macks <dma...@netspace.org> wrote: > On Thu, 12 Apr 2012 10:37:23 -0400, Daniel Macks <dma...@netspace.org> wrote: >> They each have: >> > >> > CompileScript: rsync -avr --exclude=dist ./ dist/ >> > >> > which is a serious flaw. There is no guarantee that the builder will > >> > have network access. At least as importantly, it means a user might > get >> > a different ultimate package resuilt because the upstream > server's >> > contents could change. The whole aim of fink is to give > reproducible >> > results, which is why we even bother to have Version and > Revision fields >> > and checksums of the source and patchfiles. These > packages need to fixed >> > to encapsulate a specific snapshot of the > files that would be >> > downloaded. Looking further, there is also a sudo command being run during >> > InstallScript, which is not a valid thing to do...no guarantee the >> > build-machine will be attended and blocks all sorts of scripted build >> > processes. There are also chown commands...seems inconsistent that one >> > would need to sudo if one already has the power to chown? But even better >> > would be to do the chown in PostInst, so that the whole build process can >> > run in the --build-as-nobody sandbox (a mechanism that prevents all sorts >> > of runaway root-user commands). > > My spies tell me that the rsync is safe. I flagged it because every time I > tried to build (which failed for the other reasons stated) I saw network > access. Stupid coincidences:( So "package is busted but not *that* way". > dan
I'm the maintainer of the package. Don't worry, I'll take a look at the package over the weekend. Jose ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net List archive: http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel
