Originally Posted by javispedro

Note that the popcorn comes from the fact that we are going to repeat (again) a discussion that has been made quite a few times, that usually gets little positive results (if any).

I mean trivial as in "script that is doing that check is a few chars long". And buggy, as Estel commented.

Originally Posted by misiak

It's super-amazing that noone got an idea yet to create a package with postinstall script "rm -rf /" and upload it to extras-devel with name maemo-fremantle-pr ;P.

Originally Posted by bocephus

If this could actually be done, it's an abhorrent oversight.

And this libxau6 ****up isn't the only example. Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Originally Posted by szopin

Funny, seen same package as update candidate, but no threads about it. Did you have any bad experience with it?

Originally Posted by szopin

Sorry, too new to have experienced that (though I have been closely watching this forum for a year at least and I cannot for the life of me come up with similar thread/discussion, pls share)

Originally Posted by szopin

Trivial cases of autobuilder checks I hope we are discussing. If so, we just agreed that AB while having limited ability to control packages submitted to it, lacks any degree of security control (if we'd start listing how many pakages have no maintainer as libxau6 we'd probably break this forum). True, but I know this only to be the case for -devel. Hoping this is not the case with extras(-testing)

From: Lucas Maneos <maemo@subs.maneos.org>
To: List for community development <maemo-community@maemo.org>

On Sat, Apr 28, 2012 at 01:24:00PM +0200, Estel wrote:

Code:

> unrelated package uploaded to community repos, that cause overwrite over
> crucial SSU package.
>
> Sure, this mess is mainly due to lack of common sense on uploader's
> side (which he has history for...), but isn't it also repo bug?

Definitely. The build log[1] shows that the builder correctly detected
the conflict and aborted the armel build, but somehow a binary package
ended up in the repository anyway[2]. Could you file a bug report under
<https://bugs.maemo.org/enter_bug.cgi?product=maemo.org+Website>?

L.

[1] <https://garage.maemo.org/pipermail/extras-cauldron-builds/2012-April/042984.html>
[2] <http://maemo.org/packages/view/libxau6/>

Originally Posted by bocephus

Someone (not the original maintainer) uploaded an updated libcurl3 package to devel a while back. As you may know, virtually half of Maemo depends on libcurl3. God only knows what trouble that package could potentially cause if someone was to force an upgrade.

Hi! I looked at this problematic package.

Package has changelog in debian subfolder. Here is:

===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200

curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses

-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===

Source code of version in extras is here:
http://repository.maemo.org/extras-d...source/c/curl/

tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html

I checked also additional patches and all are only compile flags, nothing more.

So I did not found anything strange in source code (no backdoor, etc..).

Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...

Originally Posted by Estel

Well, I'll answer myself:

(From maemo-community@maemo.org mailing list)


So, this package seems legit. It's pity, that uploader haven't wrote a single note on TMO, we could say "thank You" Of course, it still doesn't mean that it doesn't break anything Maemo-specific, but due few weeks of usage, I haven't had any problems.