On 08/31/2012 09:19 AM, Jim Meyering wrote:
> Bernhard Voelker wrote:
>
>> On 08/30/2012 02:13 PM, Stefano Lattarini wrote:
>>> Now that we use AM_TESTS_ENVIRONMENT, we should require at least
>>> Automake >= 1.11.2; but since all the Automake version until 1.11.5
>>> are vulnerable to CVE-2012-3386:
>>>
>>> <https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html>
>>>
>>> it's even better to require 1.11.6.
>>
>> I don't like this idea: I'm personally using OpenSuSE 12.1
>> (which is still the current version) which comes with 1.11.1.
>> To satisfy sc_vulnerable_makefile_CVE-2012-3386, I've patched
>> my /usr/share/automake-1.11/am/distdir.am.
>>
>> So the question I'm putting forward is:
>> shouldn't COREUTILS be at least compileable on the latest
>> version of the major distributions?
>
> Hi Bernhard,
>
> First, let's agree on terminology. Anyone can compile
> the tools on nearly any type of system, assuming they
> start from a distribution tarball.
Ok, that sounds good.
> I think you are talking
> about a different process: building from git cloned sources.
> That is a different process altogether.
>
> In a sense, I agree that it should be doable on most major
> distributions, but you won't like the qualifying "but".
> I think most major distributions should distribute much
> newer versions of tools like autoconf, automake and gettext.
> They are not like libraries. I've been lobbying to update
> these tools in older RHEL, with partial success.
>
> I.e., I think upstream development should be tracking the
> latest features of the latest tools. In particular, while
> autoconf and gettext are not evolving quickly these days,
> automake *is*, and given the big return on investment in
> non-recursive make (more efficient builds, day to day) and
> the prospect of even cleaner/better Makefile.am files with the
> upcoming automake-ng, we would be remiss not to take advantage
> of contributions like those from Stefano.
>
> However, even if your distribution chooses not to support this
> aspect of development, you can easily work around that deficiency
> by building all of the latest tools yourself and installing
> them in a private "bin" directory early in your shell's search path.
Sorry, maybe I was a bit angry yesterday, because my git environment
didn't work anymore. Another problem was README-prereq, because the
version number of autoconf needed is not 2.62 but at least 2.64
- from coreutils' point of view ...but automake required even 2.68.
Finally, automake didn't install cleanly because it complained about
the missing symlink from ~/coreutils/deps/share/aclocal to
aclocal-1.11, urgh.
After finally getting autoconf+autmake working (and running bootstrap
etc in coreutils), a `make syntax-check` failed because of the
renaming of the test scripts.
The attached patch silenced the syntax-check (although I'm not sure if
I fixed sc_long_lines in the right way).
> This script automates the process for you, downloading all of the
> latest tarballs, checking signatures (on all bug pkg-check, which
> appears to have none), building, optionally running make check,
> and installing:
>
> http://people.redhat.com/meyering/autotools-install
Cool!
> If you run it, be sure to heed this advice in its --help output:
>
> If you've already verified that your system/environment can build working
> versions of these tools, you can make this script complete in just a
> minute or two (rather than about an hour if you let all make check
> tests run) by invoking it like this:
>
> autotools-install --prefix=$HOME/autotools --skip-check
>
>
>> I think a check like sc_vulnerable_makefile_CVE-2012-3386
>> is enough.
>>
>> BTW: If you insist on this patch, then you also have to adapt
>> README-prereq.
>
> Good point. Thanks. I'm tempted to remove the build instructions from
> README-prereq, and instead to include my autotools-install script under
> script and referencing it. WDYT?
+1
> I'd have to change autotools-install to add xz, and possibly to remove
> (or make optional) libtool and pkg-config, since those packages are not
> needed to build coreutils.
>
Have a nice day,
Berny
diff --git a/cfg.mk b/cfg.mk
index 50fb13e..06bb63d 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -156,7 +156,7 @@ sc_check-AUTHORS:
LINE_LEN_MAX = 80
FILTER_LONG_LINES = \
/^[^:]*\.diff:[^:]*:@@ / d; \
- \|^[^:]*tests/misc/sha[0-9]*sum[-:]| d; \
+ \|^[^:]*tests/misc/sha[0-9]*sum[^:]| d; \
\|^[^:]*tests/pr/|{ \|^[^:]*tests/pr/pr-tests:| !d; };
sc_long_lines:
@files=$$($(VC_LIST_EXCEPT)) \
@@ -501,7 +501,7 @@ update-copyright-env = \
# List syntax-check exemptions.
exclude_file_name_regexp--sc_space_tab = \
- ^(tests/pr/|tests/misc/nl$$|gl/.*\.diff$$)
+ ^(tests/pr/|tests/misc/nl\.sh$$|gl/.*\.diff$$)
exclude_file_name_regexp--sc_bindtextdomain = ^(gl/.*|lib/euidaccess-stat)\.c$$
exclude_file_name_regexp--sc_unmarked_diagnostics = ^build-aux/cvsu$$
exclude_file_name_regexp--sc_error_message_uppercase = ^build-aux/cvsu$$
@@ -521,7 +521,7 @@ exclude_file_name_regexp--sc_prohibit_always-defined_macros = \
exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = ^tests/pr/
exclude_file_name_regexp--sc_program_name = ^(gl/.*|lib/euidaccess-stat)\.c$$
exclude_file_name_regexp--sc_file_system = \
- NEWS|^(tests/init\.cfg|src/df\.c|tests/df/df-P)$$
+ NEWS|^(tests/init\.cfg|src/df\.c|tests/df/df-P.sh)$$
exclude_file_name_regexp--sc_prohibit_always_true_header_tests = \
^m4/stat-prog\.m4$$
exclude_file_name_regexp--sc_prohibit_fail_0 = \
@@ -536,13 +536,13 @@ exclude_file_name_regexp--sc_prohibit_tab_based_indentation = \
exclude_file_name_regexp--sc_preprocessor_indentation = \
^(gl/lib/rand-isaac\.[ch]|gl/tests/test-rand-isaac\.c)$$
exclude_file_name_regexp--sc_prohibit_stat_st_blocks = \
- ^(src/system\.h|tests/du/2g)$$
+ ^(src/system\.h|tests/du/2g\.sh)$$
exclude_file_name_regexp--sc_prohibit_continued_string_alpha_in_column_1 = \
^src/(system\.h|od\.c|printf\.c)$$
exclude_file_name_regexp--sc_prohibit_test_backticks = \
- ^tests/(init\.sh|check\.mk|misc/stdbuf)$$
+ ^tests/(init\.sh|Makefile\.am|misc/stdbuf\.sh)$$
# Exempt test.c, since it's nominally shared, and relatively static.
exclude_file_name_regexp--sc_prohibit_operator_at_end_of_line = \
diff --git a/gnulib b/gnulib
--- a/gnulib
+++ b/gnulib
@@ -1 +1 @@
-Subproject commit 68f693ff1db33bf24695f0f42c62e7801966fd06
+Subproject commit 68f693ff1db33bf24695f0f42c62e7801966fd06-dirty
