[MPlayer-dev-eng] autosh*t @ freshmeat

Billy Biggs vektor at dumbterm.net
Sun Jun 22 15:45:47 CEST 2003


D Richard Felker III (dalias at aerifal.cx):

> On Sun, Jun 22, 2003 at 11:37:57AM +0200, Petr Tomasek wrote:
> > > (BTW, have you ever stopped to think how many trojans might be hiding
> > > in various packages' autoconf-generated configure scripts, since no
> > > one ever actually reads the output? Imagine if the developer in charge
> > > of releases got rooted and some trojan code was installed in their
> > > system-wide ac m4 macros... Natually a handwritten configure script
> > > does not have this problem since every change is visible as it's
> > > committed to CVS.)
> > 
> > If you compromise the compiler, you even don't need Makefile to
> > promote the trojan ;-)
> 
> Um, no. We're talking about source release, not binary packages.
> People don't put binaries generated by a compiler in cvs repositories
> or tarballs (at least hopefully not...) but they DO put configure
> scripts generated by autoconf there.

  Then they're silly.  configure scripts don't belong in your CVS repo,
just the configure.ac

  But yeah, we've had this discussion before.  There are lots of downsides
to autoconf, but I don't think the alternative is clear.  If someone did
a nice collection of portable shell script checks and did it nicely to show
me how to do that instead in my project, then maybe I'd take that option
more seriously.

  -Billy



More information about the MPlayer-dev-eng mailing list