[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
|
From: |
Bruno Haible |
|
Subject: |
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor |
|
Date: |
Tue, 02 Apr 2024 13:25:06 +0200 |
Jacob Bachmeyer wrote:
> Another related check that /would/ have caught this attempt would be
> comparing the aclocal m4 files in a release against their (meta)upstream
> sources before building a package. This is something distribution
> maintainers could do without cooperation from upstream. If
> m4/build-to-host.m4 had been recognized as coming from gnulib and
> compared to the copy in gnulib, the nonempty diff would have been
> suspicious.
True.
Note, however, that there would be some false positives: libtool.m4
is often shipped modified,
a) if the maintainer happens to use /usr/bin/libtoolize and
is using a distro that has modified libtool.m4 (such as Gentoo), or
b) if the maintainer intentionally improved the support of specific
platforms, such as Solaris 11.3.
Also, for pkg.m4 there is no single upstream source. They distribute
a pkg.m4.in, from which pkg.m4 is generated on the developer's machine.
But for macros from Gnulib or the Autoconf macros archive, this is a
reasonable check to make.
Bruno
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, (continued)
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Zack Weinberg, 2024/04/01
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Russ Allbery, 2024/04/01
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Zack Weinberg, 2024/04/01
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/04/01
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/04/01
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Russ Allbery, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Eric Gallager, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor,
Bruno Haible <=
- Re: checking aclocal m4 files (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/02
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/04
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Bruno Haible, 2024/04/04
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Sam James, 2024/04/05
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/08
- Re: detecting modified m4 files (was: GNU Coding Standards, automake, and the recent xz-utils backdoor), Jacob Bachmeyer, 2024/04/07
- Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/04
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Jacob Bachmeyer, 2024/04/02
Re: GNU Coding Standards, automake, and the recent xz-utils backdoor, Richard Stallman, 2024/04/01