Re: Behaviour of Build / Configure in GNU programs

[Ludovic Courtès]

address@hidden (Alfred M. Szmidt) skribis:

>    I'm seeing an increasing number of programs, whose configure and/or
>    makefile have been written, to open a connection to some remote url
>    (usually controlled by the project) download file(s) from there and
>    build them into the software.
>
>    I think this is a bad idea, from many points of view: Scalability,
>    Security and Reproducability.  I haven't found any such instances
>    in GNU Software, but I think we should put a statement about it in
>    the GCS.
>
> Seriously?  Really curious what programs do this totally crazy
> behaviour.

Unfortunately this is becoming commonplace.  The Python build system
(setuptools), Ruby’s, and probably other language-specific tools do that
by default (that is, they check for a local dependency and fall back to
downloading it silently.)  I’ve seen C++ projects do that as well.

Note that there is no real security and reproducibility issue *if* the
tools verify that the hash of the downloaded code is as expected.

Ludo’.