Control: tags -1 wontfix On Wed, 2 Jan 2013 12:45:35 -0400 Joey Hess <[email protected]> wrote: > No, I refuse to allow debian/control to become a security boundry > which I have to worry about. There are too many legitimate ones in the > world. > > -- > see shy jo
Hi, I agree with Joey on this one. At the point you start the build, you are trusting the package (upstream build included) to not brick/take over your machine. Arbitrary code execution in a package build is a dime a dozen. You can much easier hide something in the upstream build, which would not stand out (unlike the given examples). That said, there are certainly other programs that need to be a lot more careful than debhelper. As an example, I can mention Lintian. If you were able to reproduce such an issue while running such a program on a crufted package, please do send the security team a notification. Thanks, ~Niels
