New supply-chain security tool: backseat-signed
Theodore Ts'o
tytso at mit.edu
Thu Apr 11 14:26:55 UTC 2024
On Sat, Apr 06, 2024 at 04:30:44PM +0100, Simon McVittie wrote:
>
> But, it is conventional for Autotools projects to ship the generated
> ./configure script *as well* (for example this is what `make dist`
> outputs), to allow the project to be compiled on systems that do not
> have the complete Autotools system installed.
Or, because some upstream maintainers have learned through, long,
bitter experience that newer versions of autoconf tools may result in
the generated configure script to be busted (sometimmes subtly), and
so distrust relying on blind autoreconf always working.
(For Debian, I always make sure that the upstream configure script for
autoconf is generated on a Debian testing system, and yes, I have had
to make adjustments to the "prefferred form of modification" files so
that the resulting configure script works. For me, it's not that the
configure file is the preferred form of modification, but rather, the
preferred form of distriibution.)
Yes, I realize that the logical follow-on to this is that perhaps we
should just abandon autotools completely; unfortunately, I'm not quite
willing to make the assertion, "all the world's Linux and I don't care
about portability to non-Linux systems" ala the position taken by the
systemd maintainers --- and for all its faults, autoconf still has
decades of potability work that is not easy to replace.
- Ted
More information about the rb-general
mailing list