On Sat, Mar 22, 2008 at 10:30 PM, Tom Lane <tgl@xxxxxxxxxx> wrote: > Kevin Kofler <kevin.kofler@xxxxxxxxx> writes: > > From a security standpoint, all those variants are flawed though (even the > > mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak > > to fix the mess: > > http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot > > but so far it's just a proposal. > > It's 100% nuts that the BuildRoot tag even exists. This is something > that could and should be handled by intelligence inside rpmbuild, > with no need to try to herd developers into agreeing on whatever the > theory-of-the-month is. > > Expecting specfiles to rm -rf the buildroot is just as stupid. > > I don't grasp why anyone is thinking that hundreds (thousands?) of > Fedora developers should deal with these things, rather than fixing it > once in RPM itself. > Because Tradition is a hard nut to break. When the rules for doing that were put into spec files back oh in RHL-3? RHL-4? it cleaned up a lot of problems where people would get bad build roots otherwise. While the problem is fixed in the general case of people using mock etc for building packages.. that is a short time in the life of RPM spec files. If you have been putting it in for 10+ years or you are copying someone who has been doing it for 10+ years.. you are going to keep stuff around.. because it made sense at one point, and you know of some squirrelly corner case in xyz rpm where it is still needed. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
