On Tue, Apr 2, 2024 at 4:59 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Richard W. M. Jones: > > > I'm not pretending these will solve everything, but they should make > > attacks a little harder in future. > > > > > > (1) We should routinely delete autoconf-generated cruft from upstream > > projects and regenerate it in %prep. It is easier to study the real > > source rather than dig through the convoluted, generated shell script > > in an upstream './configure' looking for back doors. > > > > For most projects, just running "autoreconf -fiv" is enough. > > > > Yes, there are some projects that depend on a specific or old version > > of autoconf. We should fix those. But that doesn't need to delay us > > from using autoreconf on many projects today. > > Not shipping the m4 files and other artifacts required for regenerating > autoconf scripts is not exactly rare, unfortunately. I have filed a > bunch of bugs because it's my understanding that this incomplete source > code is against Fedora policies, but in the end, there isn't much we can > do about it. > > But I sympathize with this approach, we should build from sources as > much as we can. Maybe not regenerate everything in %prep though, this > really belongs into %build. It's invoking a compiler, after all. > We have a %conf stage for this purpose. We should start using it. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
