--- Begin Message ---
On 01/04/2024 20:18, Guy Harris wrote:
> On Apr 1, 2024, at 6:53 AM, Michael Richardson <m...@sandelman.ca> wrote:
>
>> I wonder if we should nuke our own make tarball system.
>
> I.e., replace:
>
> to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download
> {libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix}
>
> with
>
> to get {libpcap,tcpdump,tcpslice} version X.Y.Z, do
>
> git clone {repository}
>
> and then check out Git tag {libpcap,tcpdump,tcpslice}-X.Y.Z?
>
> If so, do we
>
> 1) require people to have autotools installed and run ./autogen.sh
>
> or
>
> 2) generate the configure scripts on some standard platform and check
> it in
>
> so that they have a configure script? Or is there some other way to arrange
> that people can get the configure scripts?
Even if we keep the tarball archive, we could have a host compromise (bad
autoconf, etc.) and if the "configure" script is generated on it, we risk to
open a door to an attack.
Thus, don't deliver "configure" in the tarball and ask to run "./autogen.sh"
with autotools installed.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s