[Patch]: upgrade to automake 1.11.1

Jim Meyering jim@meyering.net
Wed Mar 31 15:17:00 GMT 2010


Ralf Wildenhues wrote:
> Hello Tristan,
>
> * Tristan Gingold wrote on Wed, Mar 31, 2010 at 10:20:43AM CEST:
>> automake 1.11 has a security issue and gnu.org sites don't allow to
>> upload package that still use automake 1.11.

Hi Tristan, Ralf,

> How unfortunate.  binutils don't contain nor use the 'make dist' rule
> which contains the bug.  The Automake option 'no-dist' prevents the
> rules to be present in the generated makefiles.
>
> Why can gnu.org not grep for the presence of the rule instead?
> That's the usual Autoconf-like approach, and distributions are
> going to backport security fixes over upgrading versions, too.
> Jim?

The upload check searches for the offending chmod command
which does something equivalent to chmod -R 777 ...
That is part of the distdir rule, so if no-dist doesn't
arrange to elide that rule, it'll still trigger the rejection.
But in a way, it's still legit, since an offending rule is still
being distributed, and while far-fetched, someone could
conceivably run "make distdir".

Note that while I suggested and reviewed the code to perform
that check, I cannot change it.  I don't even have access to the
official repo containing that code, afaik.
If you want to refine the check, we can check with GNU sysadmins.



More information about the Binutils mailing list