Debian Bug report logs - #859199

ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Stuart Prescott <stuart@debian.org> Date: Fri, 31 Mar 2017 13:03:02 UTC Owned by: Stuart Prescott <stuart@debian.org> Severity: wishlist Done: Lars Wirzenius <liw@liw.fi> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, stuart@debian.org, debian-devel@lists.debian.org, wnpp@debian.org :

Bug#859199 ; Package wnpp . (Fri, 31 Mar 2017 13:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Stuart Prescott <stuart@debian.org> :

New Bug report received and forwarded. Copy sent to stuart@debian.org, debian-devel@lists.debian.org, wnpp@debian.org . (Fri, 31 Mar 2017 13:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stuart Prescott <stuart@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Sat, 01 Apr 2017 00:00:35 +1100

Package: wnpp Severity: wishlist Owner: Stuart Prescott <stuart@debian.org> * Package name : dh-curl-sudo-bash Version : 1.1 Upstream Author : Lars Wirzenius <liw@liw.fi> and Stuart Prescott <stuart@debian.org> * URL : http://deb.li/U67E * License : BSD 3 clause Programming Lang: POSIX shell, Perl Description : debhelper tools for automated non-packaging The dh-curl-sudo-bash package provides a build-system method for debhelper that automates the non-packaging of programs for which the preferred form of distribution is the sequence "curl http://example.com/setup.sh | sudo bash -" dh-curl-sudo-bash causes debhelper to create a maintainer post-install script that runs the above command on the target machine when the package is installed. Running dpkg-reconfigure is therefore enough to upgrade the package too, thus preventing problems with upgrades. The dh-curl-sudo-bash source package Build-Depends on devscripts so that uscan can be embedded into the postinst to find the correct URL for upgrades. Example usage: debian/rules: %: dh $@ --buildsystem=curl_sudo_bash debian/curl_sudo_bash.watch: http://example.com/setup-(.*\..*).sh For completeness, other shells can also be selected by exporting the variable DH_CURL_SUDO_SHELL from debian/rules: export DH_CURL_SUDO_SHELL=mksh A future extension to dh-curl-sudo-bash is planned that will permit any github repository to be automatically (non-)packaged; the following version will iterate over all github and gitlab repositories packaging everything available. We anticipate that this will make all other Debian Developers redundant as from now on the only thing that is now required to make high quality packages for Debian is to include the relevant URL. This package also obsoletes the previous apt-gentoo package.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Stuart Prescott <stuart@debian.org> :

Bug#859199 ; Package wnpp . (Fri, 31 Mar 2017 13:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to Adam Borowski <kilobyte@angband.pl> :

Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Stuart Prescott <stuart@debian.org> . (Fri, 31 Mar 2017 13:51:02 GMT) (full text, mbox, link).

Message #10 received at 859199@bugs.debian.org (full text, mbox, reply):

From: Adam Borowski <kilobyte@angband.pl> To: debian-devel@lists.debian.org, 859199@bugs.debian.org Subject: Re: Bug#859199: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Fri, 31 Mar 2017 15:48:38 +0200

On Sat, Apr 01, 2017 at 12:00:35AM +1100, Stuart Prescott wrote: > * Package name : dh-curl-sudo-bash > Upstream Author : Lars Wirzenius <liw@liw.fi> and Stuart Prescott <stuart@debian.org> > * URL : http://deb.li/U67E > Description : debhelper tools for automated non-packaging > > The dh-curl-sudo-bash package provides a build-system method for debhelper > that automates the non-packaging of programs for which the preferred form of > distribution is the sequence > > "curl http://example.com/setup.sh | sudo bash -" I think you should also convert all https URLs to http, to make sure the download works over restrictive firewalls and when the user's connection is poorly MitMed. It would also avoid unexpected FTBFS when a certificate expires. -- ⢀⣴⠾⠻⢶⣦⠀ Meow! ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ Collisions shmolisions, let's see them find a collision or second ⠈⠳⣄⠀⠀⠀⠀ preimage for double rot13!

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Stuart Prescott <stuart@debian.org> :

Bug#859199 ; Package wnpp . (Fri, 31 Mar 2017 15:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com> :

Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Stuart Prescott <stuart@debian.org> . (Fri, 31 Mar 2017 15:03:09 GMT) (full text, mbox, link).

Message #15 received at 859199@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com> To: Stuart Prescott <stuart@debian.org>, 859199@bugs.debian.org Subject: Re: Bug#859199: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Fri, 31 Mar 2017 16:57:58 +0200

On Fri, Mar 31, 2017 at 3:00 PM, Stuart Prescott <stuart@debian.org> wrote: > Package: wnpp > Severity: wishlist > Owner: Stuart Prescott <stuart@debian.org> > > * Package name : dh-curl-sudo-bash > Version : 1.1 > Upstream Author : Lars Wirzenius <liw@liw.fi> and Stuart Prescott <stuart@debian.org> > * URL : http://deb.li/U67E > * License : BSD 3 clause > Programming Lang: POSIX shell, Perl For better portability could be reimplemented in javascript of the day using nodejs as engine. I will also like a project like this to be cut in a dozen of packages for better reusuability. Piping could be implemented using a few different nodejs package. could you let the choice to the user ? About BSD3 could you please relicence under another license like MIT or zlib ? Thank you > Description : debhelper tools for automated non-packaging > > The dh-curl-sudo-bash package provides a build-system method for debhelper > that automates the non-packaging of programs for which the preferred form of > distribution is the sequence > > "curl http://example.com/setup.sh | sudo bash -" > > dh-curl-sudo-bash causes debhelper to create a maintainer post-install script > that runs the above command on the target machine when the package is installed. > Running dpkg-reconfigure is therefore enough to upgrade the package too, thus > preventing problems with upgrades. The dh-curl-sudo-bash source package > Build-Depends on devscripts so that uscan can be embedded into the postinst to > find the correct URL for upgrades. > > Example usage: > > debian/rules: > > %: > dh $@ --buildsystem=curl_sudo_bash > > debian/curl_sudo_bash.watch: > > http://example.com/setup-(.*\..*).sh > > For completeness, other shells can also be selected by exporting the variable > DH_CURL_SUDO_SHELL from debian/rules: > > export DH_CURL_SUDO_SHELL=mksh > > A future extension to dh-curl-sudo-bash is planned that will permit any github > repository to be automatically (non-)packaged; the following version will > iterate over all github and gitlab repositories packaging everything available. > > We anticipate that this will make all other Debian Developers redundant as > from now on the only thing that is now required to make high quality packages > for Debian is to include the relevant URL. This package also obsoletes the > previous apt-gentoo package. >

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Stuart Prescott <stuart@debian.org> :

Bug#859199 ; Package wnpp . (Sun, 02 Apr 2017 05:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Dmitry Bogatov <KAction@gnu.org> :

Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Stuart Prescott <stuart@debian.org> . (Sun, 02 Apr 2017 05:30:03 GMT) (full text, mbox, link).

Message #20 received at 859199@bugs.debian.org (full text, mbox, reply):

From: Dmitry Bogatov <KAction@gnu.org> To: Adam Borowski <kilobyte@angband.pl> Cc: debian-devel@lists.debian.org, 859199@bugs.debian.org Subject: Re: Bug#859199: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Sun, 02 Apr 2017 08:27:17 +0300

[2017-03-31 15:48] Adam Borowski <kilobyte@angband.pl> > > part text/plain 975 > On Sat, Apr 01, 2017 at 12:00:35AM +1100, Stuart Prescott wrote: > > * Package name : dh-curl-sudo-bash > > Upstream Author : Lars Wirzenius <liw@liw.fi> and Stuart Prescott <stuart@debian.org> > > * URL : http://deb.li/U67E > > Description : debhelper tools for automated non-packaging > > > > The dh-curl-sudo-bash package provides a build-system method for debhelper > > that automates the non-packaging of programs for which the preferred form of > > distribution is the sequence > > > > "curl http://example.com/setup.sh | sudo bash -" > I think you should also convert all https URLs to http, to make sure the > download works over restrictive firewalls and when the user's connection is > poorly MitMed. It would also avoid unexpected FTBFS when a certificate > expires. Wait a minute. Is it a joke? Are we going to provide tools to download code over HTTP and execute it? -- X-Web-Site: https://sinsekvu.github.io | Note that I process my email in batch, Accept-Languages: eo,ru,en | at most once every 24 hours. If matter Accept: text/plain, text/x-diff | is urgent, you have my phone number.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Stuart Prescott <stuart@debian.org> :

Bug#859199 ; Package wnpp . (Sun, 02 Apr 2017 06:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Geert Stappers <stappers@stappers.nl> :

Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Stuart Prescott <stuart@debian.org> . (Sun, 02 Apr 2017 06:51:06 GMT) (full text, mbox, link).

Message #25 received at 859199@bugs.debian.org (full text, mbox, reply):

From: Geert Stappers <stappers@stappers.nl> To: Dmitry Bogatov <KAction@gnu.org>, debian-devel@lists.debian.org, 859199@bugs.debian.org Subject: Re: Bug#859199: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Sun, 2 Apr 2017 08:47:29 +0200

On Sun, Apr 02, 2017 at 08:27:17AM +0300, Dmitry Bogatov wrote: > [2017-03-31 15:48] Adam Borowski <kilobyte@angband.pl> > > On Sat, Apr 01, 2017 at 12:00:35AM +1100, Stuart Prescott wrote: > > > * Package name : dh-curl-sudo-bash > > > * URL : http://deb.li/U67E > > > Description : debhelper tools for automated non-packaging > > > > > > > > > "curl http://example.com/setup.sh | sudo bash -" > > > > I think you should also convert all https URLs to http, to make sure the > > download works over restrictive firewalls and when the user's connection is > > poorly MitMed. It would also avoid unexpected FTBFS when a certificate > > expires. > > Wait a minute. Is it a joke? Are we going to provide tools to download > code over HTTP and execute it? And even execute it with root privilges. Awareness is never a joke. echo ZWNobyAiWW91J3ZlIGJlZW4gQXByaWwgRm9vbGVkISIK | base64 -d

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Stuart Prescott <stuart@debian.org> :

Bug#859199 ; Package wnpp . (Sun, 02 Apr 2017 08:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org> :

Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Stuart Prescott <stuart@debian.org> . (Sun, 02 Apr 2017 08:09:02 GMT) (full text, mbox, link).

Message #30 received at 859199@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org> To: Stuart Prescott <stuart@debian.org>, 859199@bugs.debian.org Subject: Re: Bug#859199: ITP: dh-curl-sudo-bash -- debhelper tools for automated non-packaging Date: Sun, 02 Apr 2017 18:05:46 +1000

Stuart Prescott <stuart@debian.org> writes: > The dh-curl-sudo-bash package provides a build-system method for debhelper > that automates the non-packaging of programs for which the preferred form of > distribution is the sequence > > "curl http://example.com/setup.sh | sudo bash -" > > dh-curl-sudo-bash causes debhelper to create a maintainer post-install script > that runs the above command on the target machine when the package is installed. This has the serious flaw that the upstream URL could change without notice. I think the dh-sudo-bash package should be able to scrape a given wikipedia page to obtain the URL that it should download the bash script from. With a check to ensure it is prefixed with http:// not https://. That way anybody can update the URL as required, not just the Debian developer. Oh, sorry, not April 1st anymore :-( -- Brian May <bam@debian.org>

Reply sent to Lars Wirzenius <liw@liw.fi> :

You have taken responsibility. (Tue, 04 Apr 2017 15:27:04 GMT) (full text, mbox, link).

Notification sent to Stuart Prescott <stuart@debian.org> :

Bug acknowledged by developer. (Tue, 04 Apr 2017 15:27:04 GMT) (full text, mbox, link).

Message #35 received at 859199-done@bugs.debian.org (full text, mbox, reply):

From: Lars Wirzenius <liw@liw.fi> To: 859199-done@bugs.debian.org Subject: Close Date: Tue, 4 Apr 2017 18:24:47 +0300

Closing the ITP bug report for dh-curl-sudo-bash. All useful action to prepare an upload has been done now. The package has not been rejected by ftp-masters, release-team, or debian-legal, and the has been no GR to block it. The expulsion process to remove us from Debian has not been officially started. There's nothing you can do now to prevent this from going onto millions of Debian machines around the world. Bwahahahahahaha! You're all doomed! Doomed I say! ____ ___ ___ ___ ___ __ __ _____ ____ _ | _ \ / _ \ / _ \ / _ \ / _ \| \/ | ____| _ \| | | | | | | | | | | | | | | | | | |\/| | _| | | | | | | |_| | |_| | |_| | |_| | |_| | | | | |___| |_| |_| |____/ \___/ \___/ \___/ \___/|_| |_|_____|____/(_) Ahem. -- I want to build worthwhile things that might last. --joeyh

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Wed, 03 May 2017 07:37:54 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.