Comment 6 for bug 1487928

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote : Re: [Bug 1487928] Re: please upload 1.5 final packages

On 26 August 2015 at 03:15, Mathieu Trudel-Lapierre
<email address hidden> wrote:
> My concern isn't so much in that these binaries come with the source --
> it sounds suboptimal, but it's not quite as bad as shipping binary blobs
> we haven't built ourselves...

Right, but as I tried to say, this is not a new thing, we were
distributing these blobs anyway.

> That's the main issue I have with it and with removing the line from
> rules which deletes .syso files (note that we probably shouldn't ship
> any binaries we have not built ourselves, that includes other ELF
> binaries packed in the source tarball). It's possibly OK to run these
> binaries late in the build process when running tests because we are not
> exposing our users to untrusted binaries directly (as long as they don't
> go silently change the binaries we built and are about to ship), but
> shipping these files to users without having built them ourselves sounds
> like a security accident waiting to happen.

I agree that what we have here is not good. To be clear, the syso
files are nothing at all to do with running test cases during the
build.