This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [Patch]: upgrade to automake 1.11.1

Ralf Wildenhues wrote:
> Hello Tristan,
>
> * Tristan Gingold wrote on Wed, Mar 31, 2010 at 10:20:43AM CEST:
>> automake 1.11 has a security issue and gnu.org sites don't allow to
>> upload package that still use automake 1.11.

Hi Tristan, Ralf,

> How unfortunate.  binutils don't contain nor use the 'make dist' rule
> which contains the bug.  The Automake option 'no-dist' prevents the
> rules to be present in the generated makefiles.
>
> Why can gnu.org not grep for the presence of the rule instead?
> That's the usual Autoconf-like approach, and distributions are
> going to backport security fixes over upgrading versions, too.
> Jim?

The upload check searches for the offending chmod command
which does something equivalent to chmod -R 777 ...
That is part of the distdir rule, so if no-dist doesn't
arrange to elide that rule, it'll still trigger the rejection.
But in a way, it's still legit, since an offending rule is still
being distributed, and while far-fetched, someone could
conceivably run "make distdir".

Note that while I suggested and reviewed the code to perform
that check, I cannot change it.  I don't even have access to the
official repo containing that code, afaik.
If you want to refine the check, we can check with GNU sysadmins.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]