On Tue, Apr 2, 2024 at 4:59 AM Florian Weimer <fweimer(a)redhat.com> wrote:
* Richard W. M. Jones:
> I'm not pretending these will solve everything, but they should make
> attacks a little harder in future.
>
>
> (1) We should routinely delete autoconf-generated cruft from upstream
> projects and regenerate it in %prep. It is easier to study the real
> source rather than dig through the convoluted, generated shell script
> in an upstream './configure' looking for back doors.
>
> For most projects, just running "autoreconf -fiv" is enough.
>
> Yes, there are some projects that depend on a specific or old version
> of autoconf. We should fix those. But that doesn't need to delay us
> from using autoreconf on many projects today.
Not shipping the m4 files and other artifacts required for regenerating
autoconf scripts is not exactly rare, unfortunately. I have filed a
bunch of bugs because it's my understanding that this incomplete source
code is against Fedora policies, but in the end, there isn't much we can
do about it.
But I sympathize with this approach, we should build from sources as
much as we can. Maybe not regenerate everything in %prep though, this
really belongs into %build. It's invoking a compiler, after all.
We have a %conf stage for this purpose. We should start using it.
--
真実はいつも一つ!/ Always, there's only one truth!