Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#75209 - A concern regarding part of the .BUILDINFO file
Attached to Project:
Pacman
Opened by Saphira Kai (SaphiraKai) - Friday, 01 July 2022, 14:48 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 14:02 GMT
Opened by Saphira Kai (SaphiraKai) - Friday, 01 July 2022, 14:48 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 14:02 GMT
|
DetailsI and a small group of Arch Linux users have concerns regarding the `installed` field of the .BUILDINFO file generated by makepkg. Obviously this field is very useful for reproducing builds and tracking down packaging issues, but we find the fact that it stores that information by default and without any warning concerning. Privacy is one obvious issue, as is the potential security issue of listing the versions of all packages, including services that may be internet-facing. Of course Arch is intended to be kept up to date at all times, but this unfortunately doesn't always happen, likewise the issue *if known about* can be easily solved by building in a chroot or container or by simply editing the file, however it's not at all obvious without having dissected packages before that this information is being stored in the first place.
We would very much like to see this feature made opt-in with a command line flag, or even simply having makepkg print a notice that states that all packages installed on the system running makepkg are recorded in the built package. We don't believe such changes would have a negative impact on experienced users who are already well aware of this behavior and make use of it regularly, they would only serve to prevent any issues from arising due to being uninformed about this feature. |
This task depends upon
Closed by Allan McRae (Allan)
Friday, 23 December 2022, 14:02 GMT
Reason for closing: Not a bug
Additional comments about closing: working as intended
Friday, 23 December 2022, 14:02 GMT
Reason for closing: Not a bug
Additional comments about closing: working as intended
I personally don't understand why any extremely privacy conscious person would build any binary on their system and distribute it widely without understand the implications.