[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MKDIR_P discovered by configure but not substituted in the Makefile
|
From: |
Eric Blake |
|
Subject: |
Re: MKDIR_P discovered by configure but not substituted in the Makefile |
|
Date: |
Mon, 22 Feb 2010 05:59:58 -0700 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666 |
According to Simon Josefsson on 2/22/2010 1:15 AM:
> Gnulib's DEPENDENCIES says automake 1.9.6 is fine. I think Bruno's
> workaround is better than incrementing the required minimum version, if
> this problem is the only reason why automake > 1.9.6 would be required
> by gnulib.
Yes, I approve of Bruno's patch, since there are some distros that have
provided a patched automake 1.9.x that works around the security
vulnerability. But my point still remains - if you release a package that
was autotooled using unpatched automake 1.9.6, you have put yourself and
your downstream users at the risk of the security flaw injected into your
package by the insecure automake. So it is still worth considering
upgrading to a fixed automake, whether or not gnulib can work around the
older automake.
--
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
signature.asc
Description: OpenPGP digital signature