[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Packaging Guidelines: Why so lax for BuildRoot?

From: Kevin Kofler <kevin kofler chello at>
To: fedora-devel-list redhat com
Subject: Re: Packaging Guidelines: Why so lax for BuildRoot?
Date: Sat, 22 Mar 2008 23:40:30 +0000 (UTC)

Stephen Warren <s-t-rhbugzilla <at> wwwdotorg.org> writes:
> I'm curious why the packaging guidelines aren't more specific re: the
> requirements for the BuildRoot tag.

Because there were endless fights over which of the 3 BuildRoots now listed is 
the right one, so they ended up just allowing all 3 as a compromise to stop the 
fights. By the way, the first one (the mktemp) is listed as preferred, but the 
second one is actually the one used by almost all packages (partly for 
historical reasons, it used to be the one which was mandated).

>From a security standpoint, all those variants are flawed though (even the 
mktemp is subject to a race condition), there is a proposal by Lubomir Kundrak 
to fix the mess:
http://fedoraproject.org/wiki/PackagingDrafts/SecureBuildRoot
but so far it's just a proposal.

        Kevin Kofler

Follow-Ups:
- Re: Packaging Guidelines: Why so lax for BuildRoot?
  - From: Matt Domsch
- Re: Packaging Guidelines: Why so lax for BuildRoot?
  - From: Tom Lane

References:
- Packaging Guidelines: Why so lax for BuildRoot?
  - From: Stephen Warren

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]