[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Submitting new packages
On Thu, Jul 03, 2008 at 10:39:14PM +0200, Quentin Garnier wrote:
> On Thu, Jul 03, 2008 at 09:22:23PM +0100, Alistair Crooks wrote:
> > On Thu, Jul 03, 2008 at 03:15:06PM -0400, Steven M. Bellovin wrote:
> > > On Thu, 3 Jul 2008 21:11:54 +0200
> > > jens.rehsack%bayerbbs.com@localhost wrote:
> > >
> > > > Hi all,
> > > >
> > > > I read in pkgsrc handbook, chap. 21.2, that a new package should be
> > > > submitted as a uuencoded, gzip'ed tar archive.
> > > > In FreeBSD we're using shar(1) which is more comfortable (at least
> > > > for me ^^).
> > > > Just a question: Does your process strict requires the uuencoded,
> > > > gzipped tar archive (though I must submit the pr's using the
> > > > web-interface) or is a shar file ok, too?
> > > > Finally, I will create an alias or a small script creating the
> > > > required format - so I do not want to initiate a big change - it's
> > > > just a question.
> > > >
> > > shar is a pretty serious security risk for the recipient; I'd be
> > > appalled if we accepted it.
> > Absolutely - please submit as a tar archive, or find someone who
> > can help you do that. It's not that onerous, and it makes our lives
> > much less stressful.
> Much less? A clever MASTER_SITES setting will make you download crap
> that will root you at do-install time easily, anyway. If you're that
> scared about shar archives, you don't want to build anything you found
> in a PR anyway.
Much less - some of us have tools for inspecting the components of
packages when they are unpacked, and ready for review. Having to
do this by hand on a shar before unpacking the files is a barrier
to doing things effectively.
MASTER_SITES is an easy one to spot, though - I can think of better
ways to subvert things.
> Not that I see how shar makes anything easier, though :-)
No, that's puzzling me too, but I'm sure it makes sense somehow.
Main Index |
Thread Index |