GNOME Bugzilla – Bug 669470
doesn't contain source for waf binary code
Last modified: 2012-02-10 20:29:28 UTC
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654474 hamster-applet uses the waf build system. The ./waf python script contains a binary blob which is basically a mangled .bz2 tarball that is unpacked at runtime and contains further python scripts. It is impossible to inspect the sources without actually executing the ./waf binary which potentially runs untrusted code. It is also not easily possible to modify the python scripts and regenerate ./waf. As a result, the Debian ftp-masters filed a RC bug against the hamster-applet package (and other packages using waf) as they don't consider that acceptable for the Debian archive [1] A possible solution would be to ship the unpacked sources (basically waf-light + waflib/ directory). The Debian wiki [2] contains further instructions how that can be done. It would be great if hamster-applet would ship those sources unpacked. While I had a look at this issue, I noticed that the include waf binary is rather old (dated May 2010), so this might be a good occasion to also update the build system to the latest upstream release. [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=ftpmaster@debian.org;tag=waf-unpack [2] http://wiki.debian.org/UnpackWaf
thanks for the report! fix pushed to master: http://git.gnome.org/browse/hamster-applet/commit/?id=7ed5e3c383ddc134163b6864bfa5644489aa72bf so essentially just unpacked the waf and added waflib (wafadmin at that time) to the sources. i don't see any upsides from upgrading so not doing that right now