On 02/04/2024 09:12, sebb wrote:
On Tue, 2 Apr 2024 at 08:47, Christofer Dutz <christofer.d...@c-ware.de> wrote:
Hi all,
I fully agree on this … and adding to sebb’s statement that additional files
can happen even without malicious intent.
I have seen this several times, if for example maven releases are built
directly from the main checkout and not from the release-plugin checking out
the release commit hash and building in a clean directory.
A clean checkout helps, but is no guarantee.
Spurious files can end up in a source tarball even when it is created
from a clean checkout.
I saw this in a Maven build where faulty test code left behind some
test artifacts.
Since Maven creates the source archive after the test phase, such
files can end up being included.
Nice idea in principle, but it is going to create issues for C based
projects in practice.
End users expect to be able to build C based projects with configure,
make, make install. That only works because the release manager runs a
script (typically called buildconf that uses autoconf) to create the
support scripts required in the src tarball.
There are various possible solutions but I strongly suggest engagement
with projects such as httpd before trying to change the current policy.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
