On 20:46 Thu 16 Aug , Jakub Wilk wrote: > * Vasudev Kamath <[email protected]>, 2012-07-30, 21:56: > >>It doesn't look like it's suitable for wheezy, so please make it > >>s/unstable/experimental/. > >Done! When it should be moved to unstable? After wheezy release? > > Yes, after wheezy is released.
Okay
> >>>+-$ $(tabbed -d >/tmp/tabbed.xid); urxvt -embed $(</tmp/tabbed.xid);
> >>>++$ $(tabbed \-d >/tmp/tabbed.xid); urxvt \-embed $(</tmp/tabbed.xid);
> >>If you're fixing this, please also fix the security hole
> >>(insecure use of temporary files).
> >Done too
>
> So it's now:
>
> TMPFILE=$(mktemp \-\-tmpdir tabbedxid.XXX);$(tabbed \-d > ${TMPFILE});urxvt
> \-embed $(<${TMPFILE})
>
> which is certainly better from security perspective, but not
> necessarily from usability one. I think the reason for storing xid
> in a file with predictable name was that it allowed you to connect
> more than one urxvt to the same tabbed. So I think that:
> 1) TMPFILE is a bad variable name for this purpose;
> 2) you could have saved one level of indirection by storing "tabbed
> -d" output directly into the variable (rather than into temporary
> file);
> 3) perhaps it would make more sense to use a file somewhere in
> $HOME.
Well yes that line looks most ugly :-). Now I'm choosing 2nd option
given by you and patch is cleaned up.
>
> >>>+ @cd /tmp
> >>>+ @tar -cvf - suckless-tools_$(CURRENT_VERSION) 2> /dev/null | gzip -9 >
> >>>../suckless-tools_$(CURRENT_VERSION).orig.tar.gz
> >>>+ @rm -rf /tmp/suckless-tools_$(CURRENT_VERSION)
> >>This creates temporary files insecurely.
> >Fixed.
>
> I see you did this:
>
> get-orig-source: TMPDIR :=$(shell (mktemp --tmpdir -d suckless-tools.XXXX))
>
> It looks like a nice hack, but... it will create a temporary
> directory every time debian/rules is run (not only for the
> get-orig-source target).
>
Since it was with get-orig-source: target I thought like all Makefiles
it should be called only when we do debian/rules get-orig-source but
looks like it creates directory even when I call debian/rules clean
which I don't understand why! Do you have any other alternatives for
this? and possibly reason why its being called on targets other than
get-orig-source?
I actually used this method from git-flow package of course its not
creating any TMPDIR but it does same for setting one variable. I asked
the package owner and he told that is only way to set the variable (or
at least that is what I interpreted )
Note: I referred git-flow because its also multi source package
I've pushed the changes and waiting for your comments
With Regards
--
Vasudev Kamath
http://copyninja.info
Connect on ~friendica: copyninja@{frndk.de | vasudev.homelinux.net}
IRC nick: copyninja | vasudev {irc.oftc.net | irc.freenode.net}
GPG Key: C517 C25D E408 759D 98A4 C96B 6C8F 74AE 8770 0B7E
signature.asc
Description: Digital signature
