Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Mar 30, 2024 at 10:02:42AM -0500, Michael Catanzaro wrote:
> On Sat, Mar 30 2024 at 02:55:21 PM +00:00:00, Zbigniew Jędrzejewski-Szmek
> <zbyszek@xxxxxxxxx> wrote:
> > CMake for many years fought against pkgconf and pushed people towards
> > copying those scripts into sources. It is still very common for projects
> > using CMake to come with a whole directory of badly written detection
> > scripts that each replace a single-line pkgconf invocation.
> > 
> > And of course nobody has time to look into those scripts, making it
> > easy to smuggle something through there.
> 
> It's still better than Autotools, though. If a project doesn't want to
> switch to Meson for whatever reason, then CMake is a reasonable alternative.
> 
> I agree that CMake is not as good as Meson, and that CMake find modules are
> inferior to pkg-config.

But then we shouldn't describe them as equivalent alternatives ;)
If we say "switch to a modern build systemd, e.g. cmake or meson",
people will randomly choose on or the other and since the whole CMake
ecosystem is built around find modules, we'll end with a bazillion of
those.

Instead we should say: "Use meson. If you can't for some reason, consider
CMake, but come talk to us first."

> The CMake developers are working on replacing find
> modules with CPS [1] which is intended to be a replacement for pkg-config
> that will work better on non-Linux platforms, where pkg-config is not always
> adequate. It looks like that work has maybe stalled? but if successful that
> would fix the problem with find modules.
> 
> [1] https://cps-org.github.io/cps/overview.html

Ack. But from our point of view, this wouldn't be great. We already have
pkgconf files for almost everything and CPS files for nothing…
In fact, we should probably make the effort to add pkgconf files for the
few libraries that don't have it to make it completely standard and
expected.

Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux