Quoting Sebastian Ramacher (2016-10-21 13:25:45) > On 2016-10-21 13:16:10, Jonas Smedegaard wrote: > > Quoting Jakub Wilk (2016-10-21 12:52:57) > > > Package: vlc-plugin-skins2 > > > Version: 2.2.4-7 > > > Severity: important > > > User: multiarch-de...@lists.alioth.debian.org > > > Usertags: multiarch > > > > > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file > > > is > > > architecture-dependent: > > > > > > /usr/share/vlc/skins2/default.vlt > > > > > > An example diff between i386 and amd64 (generated by diffoscope) is > > > attached. > > > > The diff seems to reveal the package was not built in a pristine chroot! > > No, it doesn't. It just reveals that it was a upload including > binaries since it had to go through NEW. > > The offending code is in share/Makefile.am which creates default.vlt.
Right. Bug is not that content varies (it was created in a shared makefile, and diff attached to original bugreport also shows identical _content_). Bug is also not that it was built in a non-pristine environment - but it is a _hint_ about the underlying bug that the user "sebastian" is the owner and group for the files in the diff. It is a real¹ bug that a non-bunNMU package inherits access rights from the user account where it is built! It seems that every time you build the package as a non-binNMU it has a security hole in that a user named "sebastian" in any target system gets write access to some files intended to be writable only by root! Likely the fix is to change debian/rules and/or patch upstream install routines to use "install" with appropriate arguments, instead of "cp". - Jonas ¹ I suspect that your including the word "just" means that you do not consider this a serious bug. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers