Re: Using quilt on untrusted RPM spec files

[Jakub Wilk <jwilk () jwilk net>]

* Matthias Gerstner <mgerstner () suse de>, 2018-09-27, 17:59:
> It turns out that running `quilt setup` on untrusted sources is not a 
> good idea:

Debian largely avoids this problem by having a source package format 
with built-in patch system[0]. Most of the time the unpacked source 
package will have patches applied, so there's no need for the reviewer 
to run untrusted code to prepare the source.

(That said, dpkg-source had quite a few path traversal bugs in the 
past[1] and I have a hunch there's more to be found...)

While debian/rules can have optional "patch" target[2] (which is a bit 
like RPM's %prep), it felt to disuse these days. A developer wouldn't 
call "debian/rules patch" against a random not-yet-reviewed package, 
because it would be unusual to have this target implemented.

[0] https://manpages.debian.org/stretch/dpkg-dev/dpkg-source.1.en.html#Format:_3.0_%28quilt%29
[1] https://security-tracker.debian.org/tracker/source-package/dpkg
[2] https://www.debian.org/doc/debian-policy/ch-source.html#main-building-script-debian-rules

--
Jakub Wilk