Re: New supply-chain security tool: backseat-signed

To: debian-devel@lists.debian.org
Subject: Re: New supply-chain security tool: backseat-signed
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 11 Apr 2024 15:37:46 +0100
Message-id: <[🔎] Zhf1uqAetVbIQSoI@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20240411142655.GA203152@mit.edu>
References: <[🔎] 90adb17f-ff3a-43fd-a9e4-bd3e76ee1d3c@archlinux.org> <[🔎] Zgy9NN39zPD9siqb@localhost> <[🔎] e339c510-b4ea-43ed-b25f-2429df8684b8@archlinux.org> <[🔎] Zg8qPX2cg4EvQ7dI@localhost> <[🔎] 87bk6mn3ql.fsf@melete.silentflame.com> <ZhE1KQN6RdG1t/1c@localhost> <[🔎] 4c5781ca-99b2-4ac5-96f0-79a4c8de0614@archlinux.org> <[🔎] ZhFqpP23QYFGwvDp@remnant.pseudorandom.co.uk> <[🔎] 20240411142655.GA203152@mit.edu>

On Thu, Apr 11, 2024 at 10:26:55AM -0400, Theodore Ts'o wrote:
> On Sat, Apr 06, 2024 at 04:30:44PM +0100, Simon McVittie wrote:
> > But, it is conventional for Autotools projects to ship the generated
> > ./configure script *as well* (for example this is what `make dist`
> > outputs), to allow the project to be compiled on systems that do not
> > have the complete Autotools system installed.
> 
> Or, because some upstream maintainers have learned through, long,
> bitter experience that newer versions of autoconf tools may result in
> the generated configure script to be busted (sometimmes subtly), and
> so distrust relying on blind autoreconf always working.

When was the last time this actually happened to you?  I certainly
remember it being a problem in the early 2.5x days, but it's been well
over a decade since this actually bit me.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: New supply-chain security tool: backseat-signed
  - From: "Theodore Ts'o" <tytso@mit.edu>
- Re: New supply-chain security tool: backseat-signed
  - From: "G. Branden Robinson" <g.branden.robinson@gmail.com>

References:
- New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Adrian Bunk <bunk@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Adrian Bunk <bunk@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: New supply-chain security tool: backseat-signed
  - From: Adrian Bunk <bunk@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Simon McVittie <smcv@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: New supply-chain security tool: backseat-signed
Next by Date: Re: New supply-chain security tool: backseat-signed
Previous by thread: Re: New supply-chain security tool: backseat-signed
Next by thread: Re: New supply-chain security tool: backseat-signed
Index(es):
- Date
- Thread