On Wed, May 24, 2017 at 10:56:52PM +0100, Ian Jackson wrote:
> But if there are packages where the .git directory is somehow actually
> used in the build, your scheme won't help because a build from the
> imported git tree will use your history, not the history found in the
> .dsc's .git.

I don't think this matters. By using our imported git tree and using git
to clone it, the user is explicitly requesting our importer's history in
.git, contrary to the source package's .git directory. I think it's
reasonable for "our git" to "take over" .git in this case. The original
uploader left a .git "trap" and we aren't in a position to remove the
trap for unsuspecting developers, but I don't think we're making it
worse. The badness happened in as an interaction between the bad source
package and the the decision to use git tooling and have an importer in
the first place, and the user is complicit in the latter decision.

In mitigation, we have "build" and "build-source" wrappers that could
always do the correct unescaping here. Then you'd only fall into the
trap if you aren't using the wrapper.


Attachment: signature.asc
Description: PGP signature

vcs-pkg-discuss mailing list

Reply via email to