[Rpm-maint] [rpm-software-management/rpm] rpmbuild: Fix `-ts` srpm specfile name (#1397)

[Panu Matilainen]

@pmatilai commented on this pull request.



>      FD_t fd = NULL;
     static const char *tryspec[] = { "Specfile", "\\*.spec", NULL };
 
-    if (!(fd = rpmMkTempFile(NULL, &specFile)))
+    specDir = rpmGetPath("%{_tmppath}", NULL);
+    if (!(fd = rpmMkTempFile(NULL, &tmpSpecFile)))

My main issue with this patch is that it tries to place a "predictable" filename into a world-writable directory. This is always gets people going about security, but it also can cause unpredictable failures for no good reason (two users trying to do the same thing at the same time, stranger things have happened). That is a no-go.

So we kinda do need a temporary file for this, but we also need a place to put the final spec. The specdir as used by the original code wasn't optimal either as you could end up overwriting your own data with zero warning (has actually happened to me). One "easy" solution would be just using current directory, but with similar risks of overwriting data. So to handle this in a way that cannot randomly fail, or overwrite your data, if you happen to have a file by the same name around, is to create a temporary *directory* and place the spec (and anything else we might need) there.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1397#discussion_r533942962
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201201/b71b0c11/attachment.html>