This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: [Patch]: upgrade to automake 1.11.1
Ralf Wildenhues wrote:
> Hello Tristan,
>
> * Tristan Gingold wrote on Wed, Mar 31, 2010 at 10:20:43AM CEST:
>> automake 1.11 has a security issue and gnu.org sites don't allow to
>> upload package that still use automake 1.11.
Hi Tristan, Ralf,
> How unfortunate. binutils don't contain nor use the 'make dist' rule
> which contains the bug. The Automake option 'no-dist' prevents the
> rules to be present in the generated makefiles.
>
> Why can gnu.org not grep for the presence of the rule instead?
> That's the usual Autoconf-like approach, and distributions are
> going to backport security fixes over upgrading versions, too.
> Jim?
The upload check searches for the offending chmod command
which does something equivalent to chmod -R 777 ...
That is part of the distdir rule, so if no-dist doesn't
arrange to elide that rule, it'll still trigger the rejection.
But in a way, it's still legit, since an offending rule is still
being distributed, and while far-fetched, someone could
conceivably run "make distdir".
Note that while I suggested and reviewed the code to perform
that check, I cannot change it. I don't even have access to the
official repo containing that code, afaik.
If you want to refine the check, we can check with GNU sysadmins.