Re: INSTALL nits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 14 Aug 2023, Gavin Smith wrote:

It seems that people are more likely to be have broken or unusual setups
when reading an INSTALL file than when reading other text files, making
UTF-8 more of a potential problem.


* A "bootstrap" command is recommended as the first step:

    The following shell commands:

      test -f configure || ./bootstrap
      ./configure
      make
      make install

 should configure, build, and install this package.

However, a "bootstrap" command does not exist in all packages (and isn't
specified by the GNU coding standards(*)), making this INSTALL file less
useful to include in other packages.

 (*) https://www.gnu.org/prep/standards/html_node/Managing-Releases.html#Managing-Releases).

The text also says, several paragraphs later, that the "bootstrap" command
can download data from a network, which is not respecting the user's privacy
and the other downsides of network access (expense, reliability).
You make good points about unecessary use of UTF-8 and particularly the "bootstrap" command.
In a normal GNU package, there should be no need for a bootstrap command since the provided tarball should already be completely prepared.
If the software is accessed if a source repository (e.g. git), then it is much more likely that some "bootstrap" magic is required. Unfortunately, the "bootstrap" magic is highly project-specific. It might just execute already installed Autotools, or it might do something like check out sub-repositories from other projects.
To me, an arbitrary bootstrap script is both a privacy and security hazard without the user carefully studying the design of the script. It is capable of doing anything that the user is capable of doing. This is in addition to the possible need for "network access" which you already mentioned.
There are use-cases where software is compiled in secure environments, or otherwise without network access.
It is true that Autotools-based packages could be seen as a security menace because they execute arbitrary scripts, but at least they are usually released in a way which allows them to be validated. 

Any generic instructions should make the user aware of these issues.

Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt
[Index of Archives]     [GCC Help]     [Kernel Discussion]     [RPM Discussion]     [Red Hat Development]     [Yosemite News]     [Linux USB]     [Samba]
  Powered by Linux