debian mentors/ commonpackagingmistakes/ Using $(PWD) instead of $(CURDIR)

Using $(PWD) instead of $(CURDIR) in debian/rules

In debian/rules, when you want to refer to a location relative to the build directory, for instance to move or delete a file you need to use a variable that contains the current directory. One such variable is $(PWD), which is the $PWD environment variable from the shell.

When a package is built it needs a root environment for some tasks. For this fakeroot is normally used. Some architectures don't have this, and so use sudo instead, giving them real root. in 2006 sudo was found to have a security vulnerability due to environment variables being passes to the process that is spawned as root. The fix was to change sudo to only pass some variables to the spawned process by default, and this list does not include $PWD. This means that if you use it in your debian/rules your package may fail to build on a Buildd that uses sudo.

To work around this problem use $(CURDIR) rather than $(PWD). It will work exactly the same, but avoid these problems.

And while you are checking for this also check for UsingCURDIRWithoutQuotes.