X.Org releases & automake security issue CVE-2009-4029

Alan Coopersmith Alan.Coopersmith at Sun.COM
Wed Dec 9 09:14:07 PST 2009


Matthieu Herrb wrote:
> Telling users of released tarballs to be be careful is more than enough
> in my opinion. 

And it will pretty much apply universally to all automake-built software, not
just ours.

> In most cases someone using a downloaded tarball will
> not use 'make dist' or distcheck. 

I've certainly never run it from the tarballs.

>> X.Org developers/maintainers should move to patched versions of automake
>> when possible for generating release tarballs going forward.
> 
> Sure. but please don't enforce by requiring the latest automake verion
> in xorg-macros. Many people are runnings distributions that will 
> ship patches to previous automake versions rathen than blindly updating
> it.

We do want to encourage use of automake-1.11 for distributed tarballs, for
the automake silent rules, but I see no reason to enforce it in the macros,
which would break developers building from git or distros updating their
own packages, both of which should be free to use older versions for their
local builds.

We may want to someday discuss if there should be some sort of standards for
the autotool versions used in official tarballs - it does seem a bit strange
that you'll get different levels of support for platforms that were recently
added to autotools (or older platforms with recent fixes added to autotools)
depending on which maintainer/developer had time to build & post the tarballs.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering



More information about the xorg-devel mailing list