Re: packages that BuildRequire: gettext that need to change to gettext-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2004-06-22 at 17:33 -0400, Elliot Lee wrote:
> Adding a 'cvs' dependency to 'gettext' will upset a few people, but it's 
> really not that bad a thing.

Actually, the use of cvs like this strikes me as adding an easy way to
trojan builds.  Come up with a way to compromise the CVS server or just
DNS mitm to masquerade as it and then drop in whatever you want into
someone's package.

Realistically, build machines should have zero need to talk to an
outside server.  

> I looked at autopoint, and it should be reasonably easy to get rid of its
> use of CVS by doing a checkout from archive.tar.gz at package build time
> rather than runtime. Is autopoint even used at all?

I'd prefer this approach be taken just for the security aspects from
above.  It looks like autopoint gets invoked by gettextize.

Jeremy



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux