prepstrip has: cat "${T}"/debug.sources | (cd "${WORKDIR}"; LANG=C sort -z -u | \ rsync -aL0 --files-from=- "${WORKDIR}/" "${D}${sources_dir}/" ) rsync(1) says: -a, --archive archive mode; equals -rlptgoD (no -H,-A,-X) ... -r, --recursive recurse into directories -l, --links copy symlinks as symlinks -p, --perms preserve permissions -t, --times preserve times -g, --group preserve group -o, --owner preserve owner (super-user only) --devices preserve device files (super-user only) --specials preserve special files -D same as --devices --specials This means that installsources will happily copy world-writable source files over; possible security hole? World-writable source files seem to happen a lot when using a git.eclass ebuild, but may arise elsewise. Suggest: rsync -rtL0 etc. All we need is recursive; times are nice as well. Copying perms, owner and group is potentially harmful; preserving devices and specials is just silly.
Created attachment 104824 [details, diff] installsources-safe-copy.patch Patch against 2.1.2_rc4-r1: use -rtL0 btw, -L is --copy-links "transform symlink into referent file/dir", see bug 144928
This is in svn r5408. Thanks.
This has been released in 2.1.2_rc4-r2.