Re: .gitmodules security

[Vincent Lefevre]

On 2022-02-11 05:05:45 -0500, Mike Frysinger wrote:
> i'm not sure that's accurate.  if you look at the history of the gnulib
> submodule, it's updated maybe once a year.  gnulib doesn't need to be
> synced to its latest commit all the time to work.  i think any automated
> distro testing should be focusing on what the git repo is using.
[...]

It seems that in 2016, the Debian libtool maintainer chose to use the
gnulib code from the Debian package instead of the one distributed
with libtool. In the Debian changelog:

  * Build-Depend on gnulib and tell bootstrap where to found it.

In general, when 3rd-party code is used by a project, Debian prefers
to use the version it provides via its own packages rather than the
version used by upstream (even though this may yield API and ABI
compatibility issues), apparently because it is easier to apply
security fixes (what upstream doesn't always do, in particular
because active Debian releases may still have versions that upstream
no longer supports). But I don't know whether this is the reason for
libtool.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)