On 2023-08-14 14:14, Bob Friesenhahn wrote:
To me, an arbitrary bootstrap script is both a privacy and security hazard without the user carefully studying the design of the script.
The same is true for ‘configure’, which is 2,182,586 bytes in my copy of coreutils. Or for Makefiles (even bigger in coreutils). In contrast, coreutils’ ‘bootstrap’ file is only 51,676 bytes, so it should be much easier to audit.
Autotools-based packages could be seen as a security menace because they execute arbitrary scripts, but at least they are usually released in a way which allows them to be validated.
I would hope that whatever validation procedure handles ‘configure’ and ‘make’ can also handle ‘bootstrap’.
