On Tue, Dec 08, 2009 at 03:48:03PM -0800, Alan Coopersmith wrote: > The GNU automake maintainers today issued patches and a security advisory > for a problem when running 'make dist*' on projects which had Makefile.in > generated by versions of automake prior to the patch: > http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html > > This pretty much covers every X.Org modular release tarball ever made. > Clearly X.Org will not be rebuilding all our past tarballs with new > automake releases, as we simply don't have the people-power. > > It's unclear to me if we need to rebuild any releases at all, or just > tell end users that if they're running 'make dist*' on a previously > released tarball, on a system in which untrusted users could login or > access the filesystem, they should run "autoreconf" first with a patched > local automake install. Any opinions?
Telling users of released tarballs to be be careful is more than enough in my opinion. In most cases someone using a downloaded tarball will not use 'make dist' or distcheck. > X.Org developers/maintainers should move to patched versions of automake > when possible for generating release tarballs going forward. Sure. but please don't enforce by requiring the latest automake verion in xorg-macros. Many people are runnings distributions that will ship patches to previous automake versions rathen than blindly updating it. -- Matthieu Herrb _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
