Re: [PATCH 3/7] build: require Automake >= 1.11.6

[Jim Meyering]

Erik Auerswald wrote:
> On Fri, Aug 31, 2012 at 09:19:19AM +0200, Jim Meyering wrote:
>> Bernhard Voelker wrote:
>> > On 08/30/2012 02:13 PM, Stefano Lattarini wrote:
>> >> Now that we use AM_TESTS_ENVIRONMENT, we should require at least
>> >> Automake >= 1.11.2; but since all the Automake version until 1.11.5
>> >> are vulnerable to CVE-2012-3386:
>> >>
>> >>   <https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html>
>> >>
>> >> it's even better to require 1.11.6.
>> >
>> > I don't like this idea: I'm personally using OpenSuSE 12.1
>> > (which is still the current version) which comes with 1.11.1.
>> > To satisfy sc_vulnerable_makefile_CVE-2012-3386, I've patched
>> > my /usr/share/automake-1.11/am/distdir.am.
>> >
>> > So the question I'm putting forward is:
>> > shouldn't COREUTILS be at least compileable on the latest
>> > version of the major distributions?
>>
>> First, let's agree on terminology.  Anyone can compile
>> the tools on nearly any type of system, assuming they
>> start from a distribution tarball.  I think you are talking
>> about a different process: building from git cloned sources.
>> That is a different process altogether.
>>
>> In a sense, I agree that it should be doable on most major
>> distributions, but you won't like the qualifying "but".
>> I think most major distributions should distribute much
>> newer versions of tools like autoconf, automake and gettext.
>> They are not like libraries.  I've been lobbying to update
>> these tools in older RHEL, with partial success.
>
> It has happened that Debian Sid (unstable) did not have new enough
> autotools to build coreutils from cloned git sources. That usually stops my
> urge to contribute at that time. ;-)
>
> Last time I checked Sid had new enough autotools, but this might well change
> during the Wheezy freeze.
>
>> However, even if your distribution chooses not to support this
>> aspect of development, you can easily work around that deficiency
>> by building all of the latest tools yourself and installing
>> them in a private "bin" directory early in your shell's search path.
>
> IMHO that additional hassle might discourage casual contributors.
>
> Anyway, I don't even know _how_ old autotools 1.11.2 is,

1.11.2 was released on 22 Dec 2011.

> so I'm not
> objecting to this actual requirement. I'd just like to raise awareness
> of this aspect.

Thanks.  This is one of the reasons I've been using Fedora on my desktop
for the last 6+ years.  A new version of Fedora comes out every 6 months,
and upgrade is usually easy, so I can track most of the latest tools
without having to install things myself.

>> This script automates the process for you, downloading all of the
>> latest tarballs, checking signatures (on all bug pkg-check, which
>> appears to have none), building, optionally running make check,
>> and installing:
>>
>>   http://people.redhat.com/meyering/autotools-install
>
> Please consider the following patch to that script:

Thanks!
I'm about to add scripts/autotools-install to coreutils.
Yours will be the first c-set for that file.

> ---8<------8<------8<------8<------8<------8<------8<------8<------8<---
>
> --- autotools-install.orig      2012-08-31 09:26:20.000000000 +0200
> +++ autotools-install   2012-08-31 09:28:46.000000000 +0200
> @@ -22,7 +22,7 @@
>
>  Options:
>   --prefix=PREFIX    install tools under specified directory
> - --skip-check       do not run "make check" (this can save 50+ min)
> + --skip-check       do not run \"make check\" (this can save 50+ min)
>   --help             display this help and exit
>
>  For example, to install programs into \$HOME/autotools/bin, run this command:
> @@ -31,7 +31,7 @@
>
>  If you've already verified that your system/environment can build working
>  versions of these tools, you can make this script complete in just a
> -minute or two (rather than about an hour if you let all "make check"
> +minute or two (rather than about an hour if you let all \"make check\"
>  tests run) by invoking it like this:
>
>    $prog_name --prefix=\$HOME/autotools --skip-check
>
> ---8<------8<------8<------8<------8<------8<------8<------8<------8<---
>
>> > I think a check like sc_vulnerable_makefile_CVE-2012-3386
>> > is enough.
>> >
>> > BTW: If you insist on this patch, then you also have to adapt
>> > README-prereq.
>>
>> Good point.  Thanks.  I'm tempted to remove the build instructions from
>> README-prereq, and instead to include my autotools-install script under
>> script and referencing it.  WDYT?
>
> I prefer written build instructions to a script. The script could be
> offered as a help on distributions lacking current enough autotools.

In that case, I'm happy to retain those instructions.
I think Pádraig also liked them.
Would one of you like to update README-prereq?