On Thu, 12 Apr 2012 10:37:23 -0400, Daniel Macks <dma...@netspace.org> wrote: They each have: > > CompileScript: rsync -avr --exclude=dist ./ dist/ > > which is a serious flaw. There is no guarantee that the builder will > have network access. At least as importantly, it means a user might > get a different ultimate package resuilt because the upstream > server's contents could change. The whole aim of fink is to give > reproducible results, which is why we even bother to have Version and > Revision fields and checksums of the source and patchfiles. These > packages need to fixed to encapsulate a specific snapshot of the > files that would be downloaded.
Looking further, there is also a sudo command being run during InstallScript, which is not a valid thing to do...no guarantee the build-machine will be attended and blocks all sorts of scripted build processes. There are also chown commands...seems inconsistent that one would need to sudo if one already has the power to chown? But even better would be to do the chown in PostInst, so that the whole build process can run in the --build-as-nobody sandbox (a mechanism that prevents all sorts of runaway root-user commands). dan -- Daniel Macks dma...@netspace.org ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net List archive: http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel
