In HPC/cluster environments, users often don't have root and can't use traditional package managers; I generally need to build and install software with a --prefix sent to the configure script.
It's not that I don't want to build valgrind; I do want to build it from source. But I want to have some assurance that the source I got is the source everyone else got, given that I trust the valgrind project. What I don't want to have to do is to audit the whole codebase myself after each download/clone. The recommended clone command on http://valgrind.org/downloads/repository.html should be `git clone https://sourceware.org/git/valgrind.git`, and the mirror clone command should be changed to `git clone https://repo.or.cz/valgrind.git`, both of which appear to be availabe. I shouldn't have to guess at the existence of a secure way to clone the repo and fix up an insecure default command; it should be documented and the default. If the only secure way to get valgrind's source is to clone the Git repo, then that should be the recommended installation process; the source tarballs should be offered as a backup solution only for people who can't clone the repo (myself excluded). The current releases page at http://valgrind.org/downloads/current.html should thus contain the Git commands to clone the repo and check out the latest tag, above the links to the tarballs. The way the site is laid out now, it looks like the insecure tarball downloads are the recommended way for people not using a package manager to get a copy of valgrind. Is there a repository for the web site where I can propose a patch? On 3/14/19, John Reiser <jrei...@bitwagon.com> wrote: >> *And* I >> have to clone the whole git repo when really I just want to install >> the current release of the program > That is by design. If *you* want to get the bits that way, then *you* must > build valgrind. > Besides, the repo is not large, and building it is not long. > Someone whose email address ends in .ucsc.edu should have no resource > problems. > > If the goal is "install the current release" with the least hassle, > then you should consider installing the current release from a > Linux distribution such as Fedora or Debian. The .rpm or .deb > is "signed by someone reputable". It may even have some bugs fixed > already. > > > _______________________________________________ > Valgrind-users mailing list > Valgrind-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/valgrind-users > _______________________________________________ Valgrind-users mailing list Valgrind-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/valgrind-users
