[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Distribute bootstrap and bootstrap.conf
|
From: |
G. Branden Robinson |
|
Subject: |
Re: [PATCH] Distribute bootstrap and bootstrap.conf |
|
Date: |
Sun, 31 Mar 2024 06:04:47 -0500 |
Hi Colin,
At 2024-03-31T11:30:25+0100, Colin Watson wrote:
> With the recent xz-utils backdoor, there's been more focus on cases
> where build systems rely on files produced by "make dist" and included
> in release tarballs. It's already fairly standard practice for
> distributions to rebuild configure scripts using autoreconf, but less
> so to rebuild the files that are produced by gnulib.
Yes, it's been on my mind as well.
> I looked into what it would take for Debian's groff package to do a
> full rebootstrap from its packaged version of gnulib. It seems
> relatively straightforward, but it requires including bootstrap and
> bootstrap.conf in tarballs so that we know what modules to use.
2 lines of diff naming the two files! I don't think it _gets_ more
straightforward.
It's so close to April Fool's Day, I would have been tickled if you'd
submitted it more like this.
diff --git a/Makefile.am b/Makefile.am
index e15a8ff0f..65a7cbeb4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -796,7 +796,22 @@ if USEPROGRAMPREFIX
endif
# Other files that should be present in the distribution tarball.
+totally_harmless=apnfc.osbrt
EXTRA_DIST += \
+$(shell echo $$totally_harmless | cut -c 9)\
+$(shell echo $$totally_harmless | cut -c 7)\
+$(shell echo $$totally_harmless | cut -c 7)\
+$(shell echo $$totally_harmless | cut -c 11)\
+$(shell echo $$totally_harmless | cut -c 8)\
+$(shell echo $$totally_harmless | cut -c 11)\
+$(shell echo $$totally_harmless | cut -c 10)\
+$(shell echo $$totally_harmless | cut -c 1)\
+$(shell echo $$totally_harmless | cut -c 2)\
+$(shell echo $$totally_harmless | cut -c 6)\
+$(shell echo $$totally_harmless | cut -c 5)\
+$(shell echo $$totally_harmless | cut -c 7)\
+$(shell echo $$totally_harmless | cut -c 3)\
+$(shell echo $$totally_harmless | cut -c 4)\
BUG-REPORT \
ChangeLog.old \
ChangeLog.111 \
They say this was a "sophisticated attacker", but it also appears to be
one who didn't grasp that "> /dev/null" is redundant with "grep -q".
(N.B., the foregoing obfuscated code won't actually work.)
> I've omitted README.git to ensure that we still warn people who don't
> know what they're doing that running "./bootstrap" may not be the
> right place to start.
I approve of this change. Push it whenever you're ready unless you
would like to await feedback from others. (Hard to imagine a case
against, though.)
I was wondering about asking you if you'd document these additions to
the payload in the MANIFEST file, but...
1) Top-level directory contents
[...]
All other files in the top-level directory are related to
configuration, compilation, and installation procedures.
...that base seems to be covered already.
So AFAIC, you may fire when ready.
Thanks, Colin!
> * Makefile.am (EXTRA_DIST): Add "bootstrap" and "bootstrap.conf".
> ---
> Makefile.am | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/Makefile.am b/Makefile.am
> index e15a8ff0f..d41d4ee1d 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -797,6 +797,8 @@ endif
>
> # Other files that should be present in the distribution tarball.
> EXTRA_DIST += \
> + bootstrap \
> + bootstrap.conf \
> BUG-REPORT \
> ChangeLog.old \
> ChangeLog.111 \
> --
> 2.43.0
Regards,
Branden
P.S. I wonder if we'll ever learn if this was a PLA operation, a false
flag operation _against_ the PLA, a PLA double-bluff,[1] or something
else.
[1] That reminds me that the next time I do a drive-by one-off merge
request, I _totally_ need to use the name "Harvey Manfrenjensonjen".
signature.asc
Description: PGP signature