Erik Auerswald wrote: > On Fri, Aug 31, 2012 at 09:19:19AM +0200, Jim Meyering wrote: >> Bernhard Voelker wrote: >> > On 08/30/2012 02:13 PM, Stefano Lattarini wrote: >> >> Now that we use AM_TESTS_ENVIRONMENT, we should require at least >> >> Automake >= 1.11.2; but since all the Automake version until 1.11.5 >> >> are vulnerable to CVE-2012-3386: >> >> >> >> <https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html> >> >> >> >> it's even better to require 1.11.6. >> > >> > I don't like this idea: I'm personally using OpenSuSE 12.1 >> > (which is still the current version) which comes with 1.11.1. >> > To satisfy sc_vulnerable_makefile_CVE-2012-3386, I've patched >> > my /usr/share/automake-1.11/am/distdir.am. >> > >> > So the question I'm putting forward is: >> > shouldn't COREUTILS be at least compileable on the latest >> > version of the major distributions? >> >> First, let's agree on terminology. Anyone can compile >> the tools on nearly any type of system, assuming they >> start from a distribution tarball. I think you are talking >> about a different process: building from git cloned sources. >> That is a different process altogether. >> >> In a sense, I agree that it should be doable on most major >> distributions, but you won't like the qualifying "but". >> I think most major distributions should distribute much >> newer versions of tools like autoconf, automake and gettext. >> They are not like libraries. I've been lobbying to update >> these tools in older RHEL, with partial success. > > It has happened that Debian Sid (unstable) did not have new enough > autotools to build coreutils from cloned git sources. That usually stops my > urge to contribute at that time. ;-) > > Last time I checked Sid had new enough autotools, but this might well change > during the Wheezy freeze. > >> However, even if your distribution chooses not to support this >> aspect of development, you can easily work around that deficiency >> by building all of the latest tools yourself and installing >> them in a private "bin" directory early in your shell's search path. > > IMHO that additional hassle might discourage casual contributors. > > Anyway, I don't even know _how_ old autotools 1.11.2 is,
1.11.2 was released on 22 Dec 2011. > so I'm not > objecting to this actual requirement. I'd just like to raise awareness > of this aspect. Thanks. This is one of the reasons I've been using Fedora on my desktop for the last 6+ years. A new version of Fedora comes out every 6 months, and upgrade is usually easy, so I can track most of the latest tools without having to install things myself. >> This script automates the process for you, downloading all of the >> latest tarballs, checking signatures (on all bug pkg-check, which >> appears to have none), building, optionally running make check, >> and installing: >> >> http://people.redhat.com/meyering/autotools-install > > Please consider the following patch to that script: Thanks! I'm about to add scripts/autotools-install to coreutils. Yours will be the first c-set for that file. > ---8<------8<------8<------8<------8<------8<------8<------8<------8<--- > > --- autotools-install.orig 2012-08-31 09:26:20.000000000 +0200 > +++ autotools-install 2012-08-31 09:28:46.000000000 +0200 > @@ -22,7 +22,7 @@ > > Options: > --prefix=PREFIX install tools under specified directory > - --skip-check do not run "make check" (this can save 50+ min) > + --skip-check do not run \"make check\" (this can save 50+ min) > --help display this help and exit > > For example, to install programs into \$HOME/autotools/bin, run this command: > @@ -31,7 +31,7 @@ > > If you've already verified that your system/environment can build working > versions of these tools, you can make this script complete in just a > -minute or two (rather than about an hour if you let all "make check" > +minute or two (rather than about an hour if you let all \"make check\" > tests run) by invoking it like this: > > $prog_name --prefix=\$HOME/autotools --skip-check > > ---8<------8<------8<------8<------8<------8<------8<------8<------8<--- > >> > I think a check like sc_vulnerable_makefile_CVE-2012-3386 >> > is enough. >> > >> > BTW: If you insist on this patch, then you also have to adapt >> > README-prereq. >> >> Good point. Thanks. I'm tempted to remove the build instructions from >> README-prereq, and instead to include my autotools-install script under >> script and referencing it. WDYT? > > I prefer written build instructions to a script. The script could be > offered as a help on distributions lacking current enough autotools. In that case, I'm happy to retain those instructions. I think Pádraig also liked them. Would one of you like to update README-prereq?
