Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Bruno Haible]

Eric Gallager wrote:
> Recommending the `distcheck` target to a wider variety of users would
> help more projects catch mismatches between things a distribution
> tarball is supposed to contain, and things that it isn't.

While 'make distcheck' detects some of these mismatches, it does not
detect them all. In particular:

  * In order to detect that a tarball contains too many files, that is,
    some files that the release manager did not intend to include,
    the best way is to compare the file list of the current tarball
    with the previous version:
      $ diff -r -q package-prev_version/ package-curr_version/

  * In order to detect whether the packaged file list is consistent
    with the .gitignore file, one can use
      $ git status -u

Bruno