On Tue, Apr 02, 2024 at 10:59:10AM +0200, Florian Weimer wrote: > * Richard W. M. Jones: > > In the xz case this wouldn't have been enough, it turns out we would > > also have to delete m4/build-to-host.m4, which then autoreconf > > regenerates. I don't fully understand why that is. > > I would expect that's what the serial number is for? But that's just a > guess.
Yes, in this case the attacker had set the serial number to 30, but the latest upstream serial number was 3. autoreconf won't replace the file in this case unless it is deleted. There really should be an "always replace if you can" option in autoreconf. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
