[Debconf-devel] Bug#1136114: debconf: validate format and driver names before eval STRING

[Sebastian EM]

Hi Colin,

To clarify more precisely: LLM-assisted local tooling was involved in the
bug discovery and analysis workflow, mainly to help navigate the code paths
and organize the findings.

The patch itself was authored by me using the debconf source tree, your
feedback, and the evidence I had already collected while continuing to
validate the behavior locally. The turnaround was quick because I had
already been investigating and testing the issue in parallel.

I understand the provenance/licensing concern, so if this is still not
acceptable for debconf, please feel free to disregard the patch as a code
contribution. I can instead provide the analysis, tests, and design notes,
or prepare a smaller patch following whatever process you prefer.

Best regards,
Jeremy

El dom, 10 may 2026 a las 17:36, Colin Watson (<cjwatson at debian.org>)
escribió:

> On Sun, May 10, 2026 at 05:28:17PM -0500, Sebastian EM wrote:
> >Thank you again for the detailed guidance.
> >
> >I took up your suggestion and prepared a revised patch that avoids string
> >eval for the dynamic debconf plugin-loading paths instead of only
> >validating immediately before the eval.
> >
> >The patch introduces a small reusable Debconf::Plugin helper.
>
> Thanks for this.  Before I look at the patch in any detail, could you
> please confirm whether there was any LLM involvement in creating it?  It
> was surprisingly quick given the description of how much you did, and
> I'd like to check because I do not want debconf's licensing status made
> ambiguous by the output of an LLM.
>
> (Sorry to have to check, but this is the world we apparently live in
> now.)
>
> Regards,
>
> --
> Colin Watson (he/him)                              [cjwatson at debian.org]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debconf-devel/attachments/20260510/7eda66fd/attachment.htm>