View Single Post
javispedro's Avatar
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#20
Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).

Originally Posted by szopin View Post
Trivial maybe in 2009, but now future life of N900 depends on them (gcc/libstdc++...).
I mean trivial as in "script that is doing that check is a few chars long". And buggy, as Estel commented.

Originally Posted by szopin View Post
Seeing a build process of something that includes malicious .so helps how exactly?
In that you WON'T install it?



Originally Posted by Estel View Post
Can't fully agree. It's not the case of apt-get upgrade or dist-upgrade - package mentioned in first post is a dependency of many other packages, so, even upgrading "theoretically" safe thing like NES or PS emulator (which one agrees to download from -devel, due to trust for developer), people will get broken system core package, without fault on side from developer of mentioned emulator!
They _won't_ as long as they don't use apt-get upgrade.

You can manage to bork a -dev package so that it actually causes a dep on the broken version, and this is actually the default case if you don't use e.g. shlibs.
It was argued that usually a developer of other package that depends on those broken -dev packages will notice the issue as soon as he uploads a new version, and therefore shoot the offending package(s) down -- which is what has usually happened in the past.

OTOH, private repos: http://repo.pub.meego.com/home%3a/
 

The Following 5 Users Say Thank You to javispedro For This Useful Post: