"J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes: > On 04/05, J. Lewis Muir wrote: >> 1. It checks for group- or world-writable files. If it should only >> check for world-writable files, obviously it's trivial to change it >> to do that. > > I've decided that checking for group-writable files is too strict. > I just tried to build devel/protobuf and came across two packages > that have distfiles with group-writable files: www/libuv and > devel/googletest. If that's at all indicative of what's out there, I > suspect a full bulk build would have a terrible time. So, I've updated > the patch to only check for world-writable files. The updated patch is > below. Without thinking too much (and I haven't had time to really read yet): bulk builds don't set PKG_DEVELOPER, or at least they didn't use to. It would slow them down and things would break. People generally set that when testing updates before committing. I wonder what would happen if you start filing bug reports. If most of them fix their distfiles, that's useful. But if nobody cares, it seems a bit like tilting at windmills. If there's a security issue, it seems group writable and world writable are not so different (unless you make assumptions about groups which seem unwarranted). If there are a lot of these, one approach is for you to keep the writable PKG_DEVELOPER check just in your tree and we can add the post-extract chmod line for them. But if there are hundreds, that seems messy.
Attachment:
signature.asc
Description: PGP signature