Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Bruno Haible]

Eric Gallager wrote:
> >   * In order to detect that a tarball contains too many files, that is,
> >     some files that the release manager did not intend to include,
> >     the best way is to compare the file list of the current tarball
> >     with the previous version:
> >       $ diff -r -q package-prev_version/ package-curr_version/
> >
> >   * In order to detect whether the packaged file list is consistent
> >     with the .gitignore file, one can use
> >       $ git status -u
> 
> Hm, so should automake's `distcheck` target be updated to perform
> these checks as well, then?

The first mentioned check can not be automated. It can only be done by the
maintainer / release manager, reviewing the list of added files and matching
them against the list of added features or tests since the last release.

The second mentioned check could be done by the maintainer, if they add
a 'distcheck-hook' [1] for this purpose. I personally find this quite
hairy, because mixing the GNU build system (which is about *generating files*)
with *version control* topics has been a recipe for trouble along the years.

Bruno

[1] 
https://www.gnu.org/software/automake/manual/html_node/Checking-the-Distribution.html