Originally Posted by javispedro (Post 1198806)

Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).

Originally Posted by misiak (Post 1198698)

It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P.

Originally Posted by bocephus (Post 1198830)

If this could actually be done, it's an abhorrent oversight.

And this libxau6 ****up isn't the only example. Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Originally Posted by szopin (Post 1198833)

Funny, seen same package as update candidate, but no threads about it. Did you have any bad experience with it?

Originally Posted by szopin (Post 1198813)

Sorry, too new to have experienced that (though I have been closely watching this forum for a year at least and I cannot for the life of me come up with similar thread/discussion, pls share)

Originally Posted by szopin (Post 1198813)

Trivial cases of autobuilder checks I hope we are discussing. If so, we just agreed that AB while having limited ability to control packages submitted to it, lacks any degree of security control (if we'd start listing how many pakages have no maintainer as libxau6 we'd probably break this forum). True, but I know this only to be the case for -devel. Hoping this is not the case with extras(-testing)

---

> unrelated package uploaded to community repos, that cause overwrite over
> crucial SSU package.
>
> Sure, this mess is mainly due to lack of common sense on uploader's
> side (which he has history for...), but isn't it also repo bug?

---

Originally Posted by bocephus (Post 1198830)

Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Originally Posted by Pali

Hi! I looked at this problematic package.

Package has changelog in debian subfolder. Here is:

===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200

curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===

Source code of version in extras is here:
http://repository.maemo.org/extras-d...source/c/curl/

tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html

I checked also additional patches and all are only compile flags, nothing more.

So I did not found anything strange in source code (no backdoor, etc..).

Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...

Originally Posted by Estel (Post 1199780)

Well, I'll answer myself:

(From maemo-community@maemo.org mailing list)


So, this package seems legit. It's pity, that uploader haven't wrote a single note on TMO, we could say "thank You" ;) Of course, it still doesn't mean that it doesn't break anything Maemo-specific, but due few weeks of usage, I haven't had any problems.