[DC LoCo] thoughs about a tool to verify certain PPAs

Daniel Chen seven.steps at gmail.com
Tue Oct 12 13:47:55 BST 2010


On Tue, Oct 12, 2010 at 8:23 AM, Kenneth Stailey <kstailey at yahoo.com> wrote:
> Many PPAs are simply the upstream source plus the "debian" directory.

...which may not be "good" packaging, but I digress


> It should not be so hard to write a tool that could download the upstream providers source code and the source code from a PPA and run a diff on them.

If you mean "a more automated tool," there's room for improving how
the various bzr branches on Launchpad are exposed.  The (manual)
functionality itself of which you speak is already available to a high
degree.


> It would help prove that there's no monkey business in someone's PPA.

"Proof" of no monkey business is non-trivial, but at least there's
http://www.dwheeler.com/trusting-trust/ .


> You still would have to ascertain that the debian/rules etc. do not have malware in them.

Eh?  Plain-text (Makefile stub)?


> But would it be a step in the right direction?

A step forward, yes.  You speak mostly of automation and UI
enhancements, and that's usually a Good Thing.

Best,
-Dan



More information about the Ubuntu-us-dc mailing list