Re: [PATCH 3/7] build: require Automake >= 1.11.6

[Jim Meyering]

Bernhard Voelker wrote:

> On 08/30/2012 02:13 PM, Stefano Lattarini wrote:
>> Now that we use AM_TESTS_ENVIRONMENT, we should require at least
>> Automake >= 1.11.2; but since all the Automake version until 1.11.5
>> are vulnerable to CVE-2012-3386:
>>
>>   <https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html>
>>
>> it's even better to require 1.11.6.
>
> I don't like this idea: I'm personally using OpenSuSE 12.1
> (which is still the current version) which comes with 1.11.1.
> To satisfy sc_vulnerable_makefile_CVE-2012-3386, I've patched
> my /usr/share/automake-1.11/am/distdir.am.
>
> So the question I'm putting forward is:
> shouldn't COREUTILS be at least compileable on the latest
> version of the major distributions?

Hi Bernhard,

First, let's agree on terminology.  Anyone can compile
the tools on nearly any type of system, assuming they
start from a distribution tarball.  I think you are talking
about a different process: building from git cloned sources.
That is a different process altogether.

In a sense, I agree that it should be doable on most major
distributions, but you won't like the qualifying "but".
I think most major distributions should distribute much
newer versions of tools like autoconf, automake and gettext.
They are not like libraries.  I've been lobbying to update
these tools in older RHEL, with partial success.

I.e., I think upstream development should be tracking the
latest features of the latest tools.  In particular, while
autoconf and gettext are not evolving quickly these days,
automake *is*, and given the big return on investment in
non-recursive make (more efficient builds, day to day) and
the prospect of even cleaner/better Makefile.am files with the
upcoming automake-ng, we would be remiss not to take advantage
of contributions like those from Stefano.

However, even if your distribution chooses not to support this
aspect of development, you can easily work around that deficiency
by building all of the latest tools yourself and installing
them in a private "bin" directory early in your shell's search path.
This script automates the process for you, downloading all of the
latest tarballs, checking signatures (on all bug pkg-check, which
appears to have none), building, optionally running make check,
and installing:

  http://people.redhat.com/meyering/autotools-install

If you run it, be sure to heed this advice in its --help output:

    If you've already verified that your system/environment can build working
    versions of these tools, you can make this script complete in just a
    minute or two (rather than about an hour if you let all make check
    tests run) by invoking it like this:

        autotools-install --prefix=$HOME/autotools --skip-check


> I think a check like sc_vulnerable_makefile_CVE-2012-3386
> is enough.
>
> BTW: If you insist on this patch, then you also have to adapt
> README-prereq.

Good point.  Thanks.  I'm tempted to remove the build instructions from
README-prereq, and instead to include my autotools-install script under
script and referencing it.  WDYT?

I'd have to change autotools-install to add xz, and possibly to remove
(or make optional) libtool and pkg-config, since those packages are not
needed to build coreutils.