On Tue, 2008-04-22 at 06:18 -0600, Eric Blake wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > According to Ralf Corsepius on 4/21/2008 11:49 PM: > | I am not upgrading the distro. I want to enable to developers to work on > | my sources. Therefore, I am shipping autoconf+automake add-on packages > | (Installed to /opt/...). > | > | ... now, autoconf is forcing me to also ship gm4. > | > | To me, this is a massive regression on autoconf's part. > > I'm sorry you feel this is a regression, but autoconf has required gm4 for > ages, and only now are we enforcing that gm4 is new enough to not silently > generate broken configure files. I know - But I feel you have shot autoconf into its foot by doing.
> | > | What will be next - bash-X, gawk-Y? > > No. The resulting configure scripts do not depend on a particular bash Well, they spend a significant amount of effort in working around shell portability issues and shell bugs. Requiring (or even bundling) one particular flavor of a shell would likely significantly simply configure scripts :() > | These distros are ultra-conservative, ... security fixes only, and > | hardly any upgrades ever. > > And m4 1.4.4 and earlier have KNOWN security bugs. Your distro is doing > you a disservice by not upgrading it. I am not working for RedHat, I am not even using RHEL. > Even m4 1.4.10 has a known stack > overrun/arbitrary code execution bug when abusing the -F option that was > only fixed in 1.4.11. OK, so running autoconf is a SECURITY risk on almost all existing Linux distributions? It's time autoconf dumps using m4 in favor something more stable! > And guess what - autoconf uses the -F option (at > least autoconf doesn't tickle the m4 bug in the normal use case of > portable file names). > > - -- > Don't work too hard, make some time for fun as well! > > Eric Blake [EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Cygwin) I guess you know how old and broken Cygwin's GCC is? I guess, I'll start to require gcc-4.3.x for my sources, such that Cygwin users will have to upgrade their GCC. Ralf
