[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security

From: Vincent Lefevre
Subject: Re: .gitmodules security
Date: Fri, 11 Feb 2022 11:35:10 +0100
User-agent: Mutt/2.1.5+141 (1c47970f) vl-138565 (2022-02-09)

On 2022-02-11 05:05:45 -0500, Mike Frysinger wrote:
> i'm not sure that's accurate.  if you look at the history of the gnulib
> submodule, it's updated maybe once a year.  gnulib doesn't need to be
> synced to its latest commit all the time to work.  i think any automated
> distro testing should be focusing on what the git repo is using.

It seems that in 2016, the Debian libtool maintainer chose to use the
gnulib code from the Debian package instead of the one distributed
with libtool. In the Debian changelog:

  * Build-Depend on gnulib and tell bootstrap where to found it.

In general, when 3rd-party code is used by a project, Debian prefers
to use the version it provides via its own packages rather than the
version used by upstream (even though this may yield API and ABI
compatibility issues), apparently because it is easier to apply
security fixes (what upstream doesn't always do, in particular
because active Debian releases may still have versions that upstream
no longer supports). But I don't know whether this is the reason for

Vincent Lefèvre <> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]