Erich Schubert created BIGTOP-1796:
--------------------------------------
Summary: Replace puppet toolchain installation with a SANE
solution, not involving unzippping of unsiged data to the root folder
Key: BIGTOP-1796
URL: https://issues.apache.org/jira/browse/BIGTOP-1796
Project: Bigtop
Issue Type: Bug
Components: build
Reporter: Erich Schubert
The way the build toolchain is installed is just INSANE.
Puppet 3.x and root required, are you serious?
It's okay if people need to install some prerequisites, but this should not
involve automagic execution of lines deeply hidden like this:
'/bin/bash -c "wget http://www.scala-lang.org/files/archive/scala-2.10.3.deb ;
dpkg -x ./scala-2.10.3.deb /"'
From:
https://github.com/apache/bigtop/blob/4f875876f924c17b62a6ce53249c2c31aa738602/bigtop_toolchain/manifests/scala.pp
This is MADNESS!
Note that "dpkg -x" EXTRACTS the contents of this UNSIGNED package to the ROOT
FOLDER. Instead of actually installing the package in a way that it could be
cleanly uninstalled afterwards; without executing installation scripts, but
also without any signature checking. In other words, this is a security issue
during build. It's NOT EVEN https, yet GPG signed.
This is FUBAR.
No wonder the Linux distributions don't adopt the packages into the
distributions. This build process is an ugly collection of hacks!
This should be deleted, and completely rewritten from scratch, sorry to be this
harsh.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
