Hi Colin, At 2024-03-31T11:30:25+0100, Colin Watson wrote: > With the recent xz-utils backdoor, there's been more focus on cases > where build systems rely on files produced by "make dist" and included > in release tarballs. It's already fairly standard practice for > distributions to rebuild configure scripts using autoreconf, but less > so to rebuild the files that are produced by gnulib.
Yes, it's been on my mind as well. > I looked into what it would take for Debian's groff package to do a > full rebootstrap from its packaged version of gnulib. It seems > relatively straightforward, but it requires including bootstrap and > bootstrap.conf in tarballs so that we know what modules to use. 2 lines of diff naming the two files! I don't think it _gets_ more straightforward. It's so close to April Fool's Day, I would have been tickled if you'd submitted it more like this. diff --git a/Makefile.am b/Makefile.am index e15a8ff0f..65a7cbeb4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -796,7 +796,22 @@ if USEPROGRAMPREFIX endif # Other files that should be present in the distribution tarball. +totally_harmless=apnfc.osbrt EXTRA_DIST += \ +$(shell echo $$totally_harmless | cut -c 9)\ +$(shell echo $$totally_harmless | cut -c 7)\ +$(shell echo $$totally_harmless | cut -c 7)\ +$(shell echo $$totally_harmless | cut -c 11)\ +$(shell echo $$totally_harmless | cut -c 8)\ +$(shell echo $$totally_harmless | cut -c 11)\ +$(shell echo $$totally_harmless | cut -c 10)\ +$(shell echo $$totally_harmless | cut -c 1)\ +$(shell echo $$totally_harmless | cut -c 2)\ +$(shell echo $$totally_harmless | cut -c 6)\ +$(shell echo $$totally_harmless | cut -c 5)\ +$(shell echo $$totally_harmless | cut -c 7)\ +$(shell echo $$totally_harmless | cut -c 3)\ +$(shell echo $$totally_harmless | cut -c 4)\ BUG-REPORT \ ChangeLog.old \ ChangeLog.111 \ They say this was a "sophisticated attacker", but it also appears to be one who didn't grasp that "> /dev/null" is redundant with "grep -q". (N.B., the foregoing obfuscated code won't actually work.) > I've omitted README.git to ensure that we still warn people who don't > know what they're doing that running "./bootstrap" may not be the > right place to start. I approve of this change. Push it whenever you're ready unless you would like to await feedback from others. (Hard to imagine a case against, though.) I was wondering about asking you if you'd document these additions to the payload in the MANIFEST file, but... 1) Top-level directory contents [...] All other files in the top-level directory are related to configuration, compilation, and installation procedures. ...that base seems to be covered already. So AFAIC, you may fire when ready. Thanks, Colin! > * Makefile.am (EXTRA_DIST): Add "bootstrap" and "bootstrap.conf". > --- > Makefile.am | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/Makefile.am b/Makefile.am > index e15a8ff0f..d41d4ee1d 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -797,6 +797,8 @@ endif > > # Other files that should be present in the distribution tarball. > EXTRA_DIST += \ > + bootstrap \ > + bootstrap.conf \ > BUG-REPORT \ > ChangeLog.old \ > ChangeLog.111 \ > -- > 2.43.0 Regards, Branden P.S. I wonder if we'll ever learn if this was a PLA operation, a false flag operation _against_ the PLA, a PLA double-bluff,[1] or something else. [1] That reminds me that the next time I do a drive-by one-off merge request, I _totally_ need to use the name "Harvey Manfrenjensonjen".
signature.asc
Description: PGP signature