On Tue, 2 Apr 2024 at 09:51, Mark Thomas <ma...@apache.org> wrote: > > On 02/04/2024 09:12, sebb wrote: > > On Tue, 2 Apr 2024 at 08:47, Christofer Dutz <christofer.d...@c-ware.de> > > wrote: > >> > >> Hi all, > >> > >> > >> > >> I fully agree on this … and adding to sebb’s statement that additional > >> files can happen even without malicious intent. > >> > >> I have seen this several times, if for example maven releases are built > >> directly from the main checkout and not from the release-plugin checking > >> out the release commit hash and building in a clean directory. > >> > > > > A clean checkout helps, but is no guarantee. > > > > Spurious files can end up in a source tarball even when it is created > > from a clean checkout. > > > > I saw this in a Maven build where faulty test code left behind some > > test artifacts. > > Since Maven creates the source archive after the test phase, such > > files can end up being included. > > Nice idea in principle, but it is going to create issues for C based > projects in practice. > > End users expect to be able to build C based projects with configure, > make, make install. That only works because the release manager runs a > script (typically called buildconf that uses autoconf) to create the > support scripts required in the src tarball.
Yes, there may be some exceptions where files are needed in the tarball that are not in the repo. However these must be directly derivable from the source repo by anyone with the appropriate tools. > There are various possible solutions but I strongly suggest engagement > with projects such as httpd before trying to change the current policy. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: security-discuss-h...@community.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
