Hello Richard, thanks for the report.
* Richard Cunningham wrote on Thu, Feb 26, 2009 at 03:32:03PM CET: > I am finding that a number of packages come with tars with world write > on some the directories when unpacked (without a umask). > I reported the issue to the lighttpd, who said: > > 'please file a bug on autotools at the gnu website. they do this on > purpose for some unknown reason in "make dist".' > http://redmine.lighttpd.net/issues/1921 If any, this would be an Automake bug rather than an Autoconf one. Adding bug-automake in Cc:. I'm not yet sure if it needs fixing, as a sensible umask avoids security issues at unpacking time. Anyway, the current code is mandated by the GNU Coding Standards, so if would need changing, too: | Make sure that the directory into which the distribution unpacks (as | well as any subdirectories) are all world-writable (octal mode 777). | This is so that old versions of `tar' which preserve the ownership and | permissions of the files from the tar archive will be able to extract | all the files even if the user is unprivileged. | | Make sure that all the files in the distribution are world-readable. The code in question lives in automake/lib/am/distdir.am and there carries this comment: ## This complex find command will try to avoid changing the modes of ## links into the source tree, in case they're hard-linked. It will ## also make directories writable by everybody, because some ## brain-dead tar implementations change ownership and permissions of ## a directory before extracting the files, thus becoming unable to ## extract them. ## ## Ignore return result from chmod, because it might give an error ## if we chmod a symlink. ## ## Another nastiness: if the file is unreadable by us, we make it ## readable regardless of the number of links to it. This only ## happens in perverse cases. [...] This comment was added originally in: commit 2d5c3abead3f72c457d886b92b3fbd977d273191 Author: Alexandre Oliva <ol...@...> Date: Mon Jun 7 03:34:04 1999 +0000 * automake.in (dist_header): Avoid changing permissions of files in the source tree, trying a complex `find/chmod' command before falling back to plain chmod. (handle_dist_worker): Do not create directories with mode 777, the find above will take care of that. * m4/init.m4: Set install_sh for find/chmod above. Some discussion I can find from around this time in the old list archive: <http://sourceware.org/ml/automake/1999-05/msg00036.html>. One should note that even then, the "old tar" versions hinted at in GCS were considered old already. Hope that helps. Cheers, Ralf