Re: Marmistrz's failed devel package - unexpected results/conclusions
 

Install FM Radio latest version from devel. Click on icon... nothing happens. Probably many more packages have such behaviour (maybe PR 1.2 app?) but on WIN I would instantly start an AV soft and download another to perform a check, just to be sure (which will never be oh well). -devel allowing apps to run as superuser is just another vector of attack. N900 is super easy for malicious devs to attack, only thing that is helping is lack in numbers (but this as security through obscurity is dumb defense at best)

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

This is part of the price we pay for having a broken QA process. Since many packages languish for months in Extras Testing, people have started downloading from the more risky repositories, because they are the only ones with new packages.

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

Indeed, it's what's the problem. I use extras-devel myself, continuously enabled, but have at least apt-pinning done.

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

/me grabs popcorn.

In any case,
Never apt-get upgrade or dist-upgrade with extras-devel enabled. It was already common knowledge in 2009... seems that this has to be periodically refreshed...

There has been many similar situations to this one. Someone packages some "dependencies" and all those who apt-get upgrade from extras-devel get bricked.
And packages that brick the device are the easy ones. There are much more subtle issues such as losing audio, codec support, general slowness or battery issues....

So, never upgrade with extras-devel enabled.


Please explain where the obscurity is. Every package source code is publicly readable for you to read.

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

Static libs inclusions, or are they blocked by autobuilder?

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

The autobuilder will not block virtually anything except for a few trivial cases. But you can still see the build process (which is the point here).

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

And you making a point this was common knowledge in 2009, just enforces current lack of that common knowledge. While you enjoy your popcorn, most 2012 people just heard devel is dangerous/untrustworthy... bon apetite

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

Trivial maybe in 2009, but now future life of N900 depends on them (gcc/libstdc++...). Seeing a build process of something that includes malicious .so helps how exactly?

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

@javispedro
Can't fully agree. It's not the case of apt-get upgrade or dist-upgrade - package mentioned in first post is a dependency of many other packages, so, even upgrading "theoretically" safe thing like NES or PS emulator (which one agrees to download from -devel, due to trust for developer), people will get broken system core package, without fault on side from developer of mentioned emulator!

Clearly, it's marmistrz fault mostly, but neither should it be allowed by repositories. another question is why sometimes it works like that, and for some package, such trick isn't possible? Smells very buggy.

/Estel

Re: Marmistrz's failed devel package - unexpected results/conclusions
 

Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).

I mean trivial as in "script that is doing that check is a few chars long". And buggy, as Estel commented.

In that you WON'T install it?



They _won't_ as long as they don't use apt-get upgrade.

You can manage to bork a -dev package so that it actually causes a dep on the broken version, and this is actually the default case if you don't use e.g. shlibs.
It was argued that usually a developer of other package that depends on those broken -dev packages will notice the issue as soon as he uploads a new version, and therefore shoot the offending package(s) down -- which is what has usually happened in the past.

OTOH, private repos: http://repo.pub.meego.com/home%3a/