Bug#1021390: nvda2speechd: downloads source from the network during build
Adrian Bunk
bunk at debian.org
Mon Oct 10 19:51:25 BST 2022
Control: severity -1 serious
[ adding debian-wb-team to Cc ]
On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote:
> Control: severity -1 important
>
> Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit:
> > Justification: fails to build from source (but built successfully in the past)
> >
> > During a local rebuild of contrib and non-free (w/o network access
> > permitted), I noticed
>
> It can build the source, just not without the network. That's why it's
> in contrib, not main.
AFAIK accessing the network from the buildds is simply forbidden.
And what your package does is even worse:
It executes a script downloaded from the internet,
compromising the security of the buildds.
Whoever controls sh.rustup.rs could for example provide a special
version of the script for Debian buildds that tries to find and
upload the private keys used on the buildds.
> Samuel
cu
Adrian
More information about the Pkg-a11y-devel
mailing list