Re: texinfo 4.2 missing from ftp?

[Gavin Smith]

On Thu, Jan 19, 2023 at 09:21:59AM +0100, Vitezslav Crhonek wrote:
> Hi,
> 
> Releases of texinfo used in Fedora can be found here (texinfo-4.2
> included):
> https://src.fedoraproject.org/lookaside/pkgs/texinfo/
> 
> Given to Fedora guidelines they all should be unmodified. Later releases
> are stored also with signature file.

Thanks, this is great!

I've had a look and tried to upload to ftp.gnu.org what was missing.
However, ftp.gnu.org rejects the uploads:

    file rejected: texinfo-4.0.tar.gz contains a vulnerable Makefile.in
    CVE-2009-4029
    Regenerate it with automake 1.11.6 / 1.12.2 or newer.

and
    
    file rejected: texinfo-4.2.tar.bz2 contains a vulnerable Makefile.in
    CVE-2009-4029
    Regenerate it with automake 1.11.6 / 1.12.2 or newer.
    
    file rejected: texinfo-4.2.tar.bz2 contains a vulnerable Makefile.in
    CVE-2012-3386
    
    Regenerate it with automake 1.11.6 / 1.12.2 or newer.

This was also the case with a few old versions I uploaded to
ftp.gnu.org in the past.  In texinfo-4.1.tar.gz on ftp.gnu.org,
uploaded 2020-11-07, I added a file in the top directory, "ORIGIN":

    Makefile.in was edited to allow upload of this file, due to the
    following errors:
    
    file rejected: texinfo-4.1.tar.gz contains a vulnerable Makefile.in
    CVE-2009-4029
    Regenerate it with automake 1.11.6 / 1.12.2 or newer.
    
    file rejected: texinfo-4.1.tar.gz contains a vulnerable Makefile.in
    CVE-2012-3386
    Regenerate it with automake 1.11.6 / 1.12.2 or newer.
    
    The original file is identifiable with
    
    $ md5sum texinfo-4.1.tar.gz
    552a0c428eddad61bab99c56f6dbeda5  texinfo-4.1.tar.gz

as well as an extra file Makefile.in-ORIG containing the original version,
with the differences:

    $ diff Makefile.in{-ORIG,}
    324c324
    <       -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
    ---
    >       -find $(distdir) -type d ! -perm -755 -exec chmod a+rwx {} \; -o \
    339c339
    < #     chmod -R a-w $(distdir); chmod a+w $(distdir)
    ---
    > #     chmod -R a-w $(distdir); chmod u+w $(distdir)


            ~~~~~~~~~~~ Question ~~~~~~~~~~~ 

What would the thoughts be about doing something similar to get these
missing releases uploaded: mainly 4.0, 4.2 and 4.3?

For Texinfo 4.0 onwards, missing are

4.0 (on Fedora)
4.2 (on Fedora)
4.3 (on Fedora)
4.4 (not on Fedora - according to NEWS file 4.5 only has a few changes
     over 4.4 so 4.4 may not be that historically important)
4.5 we only have .tar.gz but Fedora has .tar.bz2

I have copies of old release notices, but unfortunately, not of checksums.

I have not tried to upload texinfo-4.0b.tar.bz2 as this appears to have been
a pretest release (one of several with letter suffixes) so seems less
important.

Texinfo history before 4.0 gets murkier.  I have some 3.* (and even
2.* releases) uploaded to https://ftp.gnu.org/gnu/texinfo (again,
reuploads in 2020).  In 3.*, missing are:

3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.11
3.12

Diffs for some of these 3.* releases were allegedly available at
ftp.gnu.org; however, were taken down in 2003 following a security
breach; see https://ftp.gnu.org/MISSING-FILES.README

Here is the full list of missing Texinfo related files from
https://ftp.gnu.org/MISSING-FILES :

./gnu/texinfo/texinfo-3.4-3.5.diff.gz
./gnu/texinfo/texinfo-3.5-3.6.diff.gz
./gnu/texinfo/texinfo-3.6-3.7.diff.gz
./gnu/texinfo/texinfo-4.0-4.1.diff.gz
./gnu/texinfo/texinfo-4.1-4.2.diff.gz
./gnu/texinfo/texinfo-4.2-4.3.diff.bz2
./gnu/texinfo/texinfo-4.2-4.3.diff.gz
./gnu/texinfo/texinfo-4.3-4.4.diff.bz2
./gnu/texinfo/texinfo-4.3-4.4.diff.gz
./gnu/texinfo/texinfo-4.4-4.5.diff.bz2
./gnu/texinfo/texinfo-4.4-4.5.diff.gz
./gnu/texinfo/texinfo-4.5-4.6.diff.bz2
./gnu/texinfo/texinfo-4.5.tar.bz2
./gnu/texinfo/texinfo-4.5.tar.gz

It's not clear how widespead the Texinfo 2.* releases were and many of them
are described as beta releases in the NEWS file.  The oldest version I've
got, Texinfo 2.15, has the following text in the "New-features" file:

  The Texinfo 2 package is temporary; after a period of testing, the new
  documentation and software will be merged into the Emacs distribution.

Before that Texinfo-related files were all part of GNU Emacs.