Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612994 - [Tracker] DISTDIR globs
Summary: [Tracker] DISTDIR globs
Status: CONFIRMED
Alias: None
Product: Quality Assurance
Classification: Unclassified
Component: Trackers (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Quality Assurance Team
URL:
Whiteboard:
Keywords: Tracker
Depends on: 612906 612916 612920 612996 612998 613000 613002 613004 613006
Blocks:
  Show dependency tree
 
Reported: 2017-03-18 09:39 UTC by Michał Górny
Modified: 2021-07-21 00:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-03-18 09:39:41 UTC 
It seems that some ebuilds are attempting globbing in DISTDIR and similar ops. While this partially works in Portage because of shadow dir use, this is unreliable and a very bad idea.

Common mistakes:

1. cp "${DISTDIR}"/* ...

  -- this can actually copy *all* files ever downloaded on the system

2. cp "${DISTDIR}"/${P}-* ...

  -- you can't really rely on DISTDIR containing no other file with this prefix.
Comment 1 Ulrich Müller gentoo-dev 2017-03-18 12:11:06 UTC 
This may even have security implications if the glob matches a file where Manifest checksum verification failed and that portage has stored in DISTDIR under a *_checksum_failure_* name.