[Rpm-maint] [rpm-software-management/rpm] RFE: drop rpmlib() poisoning from --short-circuit'ed binaries (Issue #3091)
Panu Matilainen
notifications at github.com
Mon May 13 06:49:13 UTC 2024
> The whole idea of "prevent people from distributing them" doesn't make much sense. You cannot build a package with --short-circuit "accidentally". It's a very long option that you need to insert in the right place. And I guess "otherwise" means "maliciously" here
Obviously you can't use --short-circuit accidentally, the accident refers to distributing a binary built that way. Think of a lone developer uploading a binary built on their own system to the net for others to use. That's not as common these days as it once was, nowadays thankfully most people use actual build systems.
The "otherwise" doesn't refer to malice, but ignorance. There have been people wanting to distribute packages built with short-circuit, just to shorten their build times basically.
But 14 years later (7583fcc3416e5e4accf1c52bc8903149b1314145) and hopefully a bit wiser too: a gentler version would be simply to "watermark" short-circuited builds somehow. It doesn't have to be a install-breaking dependency, just something that you can check.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3091#issuecomment-2106778640
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3091/2106778640 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240512/e29a6d2d/attachment-0001.html>
More information about the Rpm-maint
mailing list