On Tue, 2004-06-22 at 17:33 -0400, Elliot Lee wrote: > Adding a 'cvs' dependency to 'gettext' will upset a few people, but it's > really not that bad a thing. Actually, the use of cvs like this strikes me as adding an easy way to trojan builds. Come up with a way to compromise the CVS server or just DNS mitm to masquerade as it and then drop in whatever you want into someone's package. Realistically, build machines should have zero need to talk to an outside server. > I looked at autopoint, and it should be reasonably easy to get rid of its > use of CVS by doing a checkout from archive.tar.gz at package build time > rather than runtime. Is autopoint even used at all? I'd prefer this approach be taken just for the security aspects from above. It looks like autopoint gets invoked by gettextize. Jeremy
