Bruno Haible via Gnulib discussion list <[email protected]> writes: > Simon Josefsson wrote: >> >> It is not widely packaged by distributions (I think) directly, so access >> >> to the latest non-vendored version of those files is fairly obscure. >> >> >> >> Would it make sense to move the files to gnulib? >> > >> > Gnulib is already redistributing the latest versions of these files. >> > I don't see the problem that you see. >> >> There is a growing trend to avoid vendoring files, because of bit-rot >> and supply-chain concerns among other reasons, and while it is not >> really enforced well in many places yet, I do believe vendoring files is >> something we should try to reduce. There are much larger problems than >> the 'config' files, but I think this sets a bad example for important >> files that are executed by almost anyone running ./configure. >> >> That's the only problem I see > > For normal users, GNU distributes tarballs, which includes files that > are centrally maintained (mostly config.{guess,sub}, gnulib stuff, > but also some build-aux/ files like install-sh. > > For experienced users, most packages have a git repository that does NOT > include these files. This git repository sometimes has an indication > which gnulib version to use. For the other files, "always the newest" > is the implied recommendation, because config.{guess,sub} and install-sh > are maintained in a backward-compatible way. > > So, users already have the choice. > > The way to get the newest config.{guess,sub} is widely known: > 1) They contain themselves a note > # You can get the latest version of this script from: > # https://git.savannah.gnu.org/cgit/config.git/plain/config.guess > 2) Some packages do > $GNULIB_TOOL --copy-file build-aux/config.guess; chmod a+x > build-aux/config.guess > $GNULIB_TOOL --copy-file build-aux/config.sub; chmod a+x > build-aux/config.sub > 3) Other packages do > for file in config.guess config.sub; do > wget -q --timeout=5 -O build-aux/$file.tmp > "http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=build-aux/${file};hb=HEAD"; > && mv $file.tmp $file > done > as documented in > > https://www.gnu.org/software/gettext/manual/html_node/config_002eguess.html
Agreed! > So, I still don't understand what you mean by "access [to] those files is > fairly obscure". What else could be done? Do you want to see them regularly > uploaded to ftp.gnu.org, like texinfo.tex is (at > https://ftp.gnu.org/gnu/texinfo/texinfo.tex) ? What would be the benefit of > having yet another, alternative way of obtaining these files? Yes, by "fairly obscure" I meant not using the normal tarball-centric distribution model, and lack of a strong cryptographic distribution mechanism for the files. Having them on ftp.gnu.org would fix that. Arguably, it is some work to achieve this, and there are probably more important things to work on, but I think this is a bit sub-optimal. Maybe the GNU config project could publish PGP signed git bundles just like gnulib does? Once in a while. So there is some long-term authenticated integrity-protected archive of this fairly important code. I'm happy to volunteer to do this, if there is interest. Dmitry? Distributions are moving towards not building from *.tar.gz but to directly build from git source, see for example the recent Guix announcement: https://lists.gnu.org/archive/html/guix-devel/2026-03/msg00043.html I think that is generally a good thing, and then these config.guess and config.sub files may eventually be of some concern as a consequence. > Or, when you say "vendoring files is something we should try to reduce", > what else do you mean? Getting rid of config.{guess,sub} entirely? How? No -- just attempting to reduce the amount of vendored and generated files stored in git repositories generally. And then I was thinking of the copy of these files inside gnulib. /Simon
signature.asc
Description: PGP signature
