On 05/11/2020 22:01, Junio C Hamano wrote:
> Ramsay Jones <ramsay@xxxxxxxxxxxxxxxxxxxx> writes:
>
>> diff --git a/.gitignore b/.gitignore
>> index 6232d33924..425b8cc2a4 100644
>> --- a/.gitignore
>> +++ b/.gitignore
>> @@ -191,6 +191,7 @@
>> /gitweb/static/gitweb.min.*
>> /config-list.h
>> /command-list.h
>> +/dist-tars
>> *.tar.gz
>> *.dsc
>> *.deb
>> diff --git a/Makefile b/Makefile
>> index 90e91a2185..bc9ce28bc3 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -3083,6 +3083,7 @@ dist: git-archive$(X) configure
>> --prefix=$(GIT_TARNAME)/ HEAD^{tree} > $(GIT_TARNAME).tar
>> @$(RM) -r .dist-tmp-dir
>> gzip -f -9 $(GIT_TARNAME).tar
>> + @echo $(GIT_TARNAME).tar.gz >>dist-tars
>
> Sorry, but I'd rather not to see such a longer-term "list of files
> to be removed" on the filesystem. This invites attackers to write a
> rogue test addition that writes into ../../dist-tars something like
> "~/.gitconfig" and wait for me to say "make clean".
Yes, that is a reasonable concern. I suppose we could drop the last
two patches then - most of the saving comes from the first four patches
(as you can see from the table in the cover letter).
Also, I had an alternative patch for the last patch, which did away with
the '-include GIT-VERSION-FILE' entirely! (That had treewide implications
that I hadn't sorted through yet).
ATB,
Ramsay Jones
