6:39 p.m.
Pick up some build fixes in the latest gnulib. In particular,
we want to ensure that official tarballs are secure, but don't
want to penalize people who don't run 'make dist', since fixed
automake still hasn't hit common platforms like Fedora 17.
* .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
* bootstrap: Resync from gnulib.
* bootstrap.conf (gnulib_extra_files): Drop missing, since gnulib
has dropped it in favor of Automake's version.
* cfg.mk (local-checks-to-skip): Conditionally skip the security
check in cases where it doesn't matter.
---
I'm stoked! I figured out how to upgrade to the latest automake
and make our release process secure (tested with 'make dist' on
a system with insecure automake), without penalizing normal
development (tested with 'make check' on the same system).
* .gnulib a02ba4b...6c37e0a (76):
verify: document conflict with -Wnested-externs
maint.mk: forbid exit(-1)
fsusage: port back to Solaris
gnu-web-doc-update: fix error messages
gnu-web-doc-update: check the requirements.
maint.mk: minor simplification.
gitlog-to-changelog: VPATH build issues.
fpending: Assume AC_CHECK_DECLS_ONCE invocation, like in fpending.m4.
pthread_sigmask: fix bug on FreeBSD 9
README-release: make it more legible
autoupdate
maint: require that each sc_... command start with "@"
maint.mk: add leading "@" to quiet new "make syntax-check" rule
autoupdate
maint.mk: new syntax check for HAVE_DECL checks
argp: make HAVE_DECL usage consistent
stat-time: relax license to LGPLv2+
strndup: fix m4 usage error
maint: enable the sc_avoid_if_before_free syntax-check rule
gettext: do not assume '#define ... defined ...' behavior
getloadavg: clean out old Emacs and Autoconf cruft
bootstrap: let warn be like tests/init.sh's warn_
getopt: Simplify after Emacs changed.
maint.mk: add sc_vulnerable_makefile_CVE-2012-3386
maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix
getloadavg, getopt: fix commentary re configure.in
timespec: mark functions with const attributes
canonicalize[-lgpl]: handle "guessing" values when cross-building
canonicalize: make the right guess when cross-compiling to GNU
update from texinfo
timespec-sub: avoid duplicate include
bootstrap: use a more consistent error reporting scheme
sys_time: allow too-wide tv_sec
pthread: check for both pthread_create and pthread_join
parse-datetime: doc tuneup
do-release-commit-and-tag: fix the previous commit
do-release-commit-and-tag: fix typo
pthread: check for pthread_create, not pthread_join
parse-datetime: fix failure to diagnose invalid input
bootstrap: do not require now-removed build-aux/missing
alloca: add support for HP NonStop TNS/E native
fsusage: remove code not needed on non GNU/Linux systems.
fsusage: include files needed for glibc 2.6 fallback
fsusage: avoid needless check on GNU/Linux
log: Fix an autoconf >= 2.64 warning.
autoupdate
autoupdate
log10f: Fix possible configuration problem.
Fix typo in ChangeLog entry.
remove: No longer override on all platforms. Fixes bug from 2012-03-20.
config: drop scripts that automake says are not independent
root-uid: new module
regex: use locale-independent comparison for codeset name
getopt-posix: No longer guarantee that option processing is resettable.
argp, regex: Ensure strcasecmp gets declared.
autoupdate
ptsname_r: Fix typo in last commit.
ptsname_r: Make it consistent with ptsname on AIX.
ptsname_r: Make it consistent with ptsname on OSF/1.
ttyname_r: Fix result on OSF/1, Solaris.
ptsname_r: Add support for Solaris.
ptsname_r: Fix test failure on native Windows.
ptsname_r: Fix test failures on IRIX, Solaris.
ptsname test: Extend test.
time: fix obsolete comment
getopt-gnu: Handle suboptimal getopt_long's abbreviation handling.
time_r: fix typo that always overrode localtime_r decl
Write "Mac OS X" instead of "MacOS X".
grantpt: Relax requirement regarding invalid file descriptors.
fbufmode test: Don't test unportable behaviour.
gnulib-tool: Refactor inctests variable.
gnulib-tool: --create-[mega]testdir, --[mega]test implies --with-tests.
parse-duration test: Avoid spurious output.
testing: fix typo in here doc
maint: disable the strncpy prohibition
Fix misspellings in comments.
.gnulib | 2 +-
bootstrap | 118 +++++++++++++++++++++++++++++++++-----------------------
bootstrap.conf | 1 -
cfg.mk | 11 ++++++
4 files changed, 81 insertions(+), 51 deletions(-)
diff --git a/.gnulib b/.gnulib
index a02ba4b..6c37e0a 160000
--- a/.gnulib
+++ b/.gnulib
@@ -1 +1 @@
-Subproject commit a02ba4bf889fee4622db87f185c3d0af84d74ae7
+Subproject commit 6c37e0a73c7c1b6fe6eac4d794e2e65791a2700d
diff --git a/bootstrap b/bootstrap
index ce37a2c..e3e270b 100755
--- a/bootstrap
+++ b/bootstrap
@@ -1,6 +1,6 @@
#! /bin/sh
# Print a version string.
-scriptversion=2012-05-15.06; # UTC
+scriptversion=2012-07-19.14; # UTC
# Bootstrap this package from checked-out sources.
@@ -77,6 +77,33 @@ Running without arguments will suffice in most cases.
EOF
}
+# warnf_ FORMAT-STRING ARG1...
+warnf_ ()
+{
+ warnf_format_=$1
+ shift
+ nl='
+'
+ case $* in
+ *$nl*) me_=$(printf "$me"|tr "$nl|" '??')
+ printf "$warnf_format_" "$@" | sed "s|^|$me_: |" ;;
+ *) printf "$me: $warnf_format_" "$@" ;;
+ esac >&2
+}
+
+# warn_ WORD1...
+warn_ ()
+{
+ # If IFS does not start with ' ', set it and emit the warning in a subshell.
+ case $IFS in
+ ' '*) warnf_ '%s\n' "$*";;
+ *) (IFS=' '; warn_ "$@");;
+ esac
+}
+
+# die WORD1...
+die() { warn_ "$@"; exit 1; }
+
# Configuration.
# Name of the Makefile.am
@@ -130,7 +157,8 @@ extract_package_name='
p
}
'
-package=$(sed -n "$extract_package_name" configure.ac) || exit
+package=$(sed -n "$extract_package_name" configure.ac) \
+ || die 'cannot find package name in configure.ac'
gnulib_name=lib$package
build_aux=build-aux
@@ -186,6 +214,8 @@ use_git=true
# otherwise find the first of the NAMES that can be run (i.e.,
# supports --version). If found, set ENVVAR to the program name,
# die otherwise.
+#
+# FIXME: code duplication, see also gnu-web-doc-update.
find_tool ()
{
find_tool_envvar=$1
@@ -203,19 +233,15 @@ find_tool ()
else
find_tool_error_prefix="\$$find_tool_envvar: "
fi
- if test x"$find_tool_res" = x; then
- echo >&2 "$me: one of these is required: $find_tool_names"
- exit 1
- fi
- ($find_tool_res --version </dev/null) >/dev/null 2>&1 || {
- echo >&2 "$me: ${find_tool_error_prefix}cannot run $find_tool_res
--version"
- exit 1
- }
+ test x"$find_tool_res" != x \
+ || die "one of these is required: $find_tool_names"
+ ($find_tool_res --version </dev/null) >/dev/null 2>&1 \
+ || die "${find_tool_error_prefix}cannot run $find_tool_res --version"
eval "$find_tool_envvar=\$find_tool_res"
eval "export $find_tool_envvar"
}
-# Find sha1sum, named gsha1sum on MacPorts, and shasum on MacOS 10.6.
+# Find sha1sum, named gsha1sum on MacPorts, and shasum on Mac OS X 10.6.
find_tool SHA1SUM sha1sum gsha1sum shasum
# Override the default configuration, if necessary.
@@ -230,7 +256,6 @@ esac
test -z "${gnulib_extra_files}" && \
gnulib_extra_files="
$build_aux/install-sh
- $build_aux/missing
$build_aux/mdate-sh
$build_aux/texinfo.tex
$build_aux/depcomp
@@ -270,21 +295,15 @@ do
--no-git)
use_git=false;;
*)
- echo >&2 "$0: $option: unknown option"
- exit 1;;
+ die "$option: unknown option";;
esac
done
-if $use_git || test -d "$GNULIB_SRCDIR"; then
- :
-else
- echo "$0: Error: --no-git requires --gnulib-srcdir" >&2
- exit 1
-fi
+$use_git || test -d "$GNULIB_SRCDIR" \
+ || die "Error: --no-git requires --gnulib-srcdir"
if test -n "$checkout_only_file" && test ! -r
"$checkout_only_file"; then
- echo "$0: Bootstrapping from a non-checked-out distribution is risky."
>&2
- exit 1
+ die "Bootstrapping from a non-checked-out distribution is risky."
fi
# Ensure that lines starting with ! sort last, per gitignore conventions
@@ -310,7 +329,7 @@ insert_sorted_if_absent() {
echo "$str" | sort_patterns - $file | cmp -s - $file > /dev/null \
|| { echo "$str" | sort_patterns - $file > $file.bak \
&& mv $file.bak $file; } \
- || exit 1
+ || die "insert_sorted_if_absent $file $str: failed"
}
# Adjust $PATTERN for $VC_IGNORE_FILE and insert it with
@@ -334,11 +353,8 @@ grep '^[
]*AC_CONFIG_AUX_DIR(\['"$build_aux"'\])' configure.ac \
/dev/null && found_aux_dir=yes
grep '^[
]*AC_CONFIG_AUX_DIR('"$build_aux"')' configure.ac \
/dev/null && found_aux_dir=yes
-if test $found_aux_dir =
no; then
- echo "$0: expected line not found in configure.ac. Add the following:"
>&2
- echo " AC_CONFIG_AUX_DIR([$build_aux])" >&2
- exit 1
-fi
+test $found_aux_dir = yes \
+ || die "configure.ac lacks 'AC_CONFIG_AUX_DIR([$build_aux])'; add
it"
# If $build_aux doesn't exist, create it now, otherwise some bits
# below will malfunction. If creating it, also mark it as ignored.
@@ -444,7 +460,7 @@ check_versions() {
automake-ng|aclocal-ng)
app=${app%-ng}
($app --version | grep '(GNU automake-ng)') >/dev/null 2>&1 ||
{
- echo "$me: Error: '$app' not found or not from Automake-NG"
>&2
+ warn_ "Error: '$app' not found or not from Automake-NG"
ret=1
continue
} ;;
@@ -454,20 +470,21 @@ check_versions() {
# so we have to rely on $? rather than get_version.
$app --version >/dev/null 2>&1
if [ 126 -le $? ]; then
- echo "$me: Error: '$app' not found" >&2
+ warn_ "Error: '$app' not found"
ret=1
fi
else
# Require app to produce a new enough version string.
inst_ver=$(get_version $app)
if [ ! "$inst_ver" ]; then
- echo "$me: Error: '$app' not found" >&2
+ warn_ "Error: '$app' not found"
ret=1
else
latest_ver=$(sort_ver $req_ver $inst_ver | cut -d' ' -f2)
if [ ! "$latest_ver" = "$inst_ver" ]; then
- echo "$me: Error: '$app' version == $inst_ver is too old"
>&2
- echo " '$app' version >= $req_ver is required"
>&2
+ warnf_ '%s\n' \
+ "Error: '$app' version == $inst_ver is too old" \
+ " '$app' version >= $req_ver is required"
ret=1
fi
fi
@@ -524,11 +541,10 @@ fi
if ! printf "$buildreq" | check_versions; then
echo >&2
if test -f README-prereq; then
- echo "$0: See README-prereq for how to get the prerequisite programs"
>&2
+ die "See README-prereq for how to get the prerequisite programs"
else
- echo "$0: Please install the prerequisite programs" >&2
+ die "Please install the prerequisite programs"
fi
- exit 1
fi
echo "$0: Bootstrapping from checked-out $package sources..."
@@ -739,11 +755,10 @@ symlink_to_dir()
*)
case /$dst/ in
*//* | */../* | */./* | /*/*/*/*/*/)
- echo >&2 "$me: invalid symlink calculation: $src ->
$dst"
- exit 1;;
- /*/*/*/*/) dot_dots=../../../;;
- /*/*/*/) dot_dots=../../;;
- /*/*/) dot_dots=../;;
+ die "invalid symlink calculation: $src -> $dst";;
+ /*/*/*/*/) dot_dots=../../../;;
+ /*/*/*/) dot_dots=../../;;
+ /*/*/) dot_dots=../;;
esac;;
esac
@@ -765,7 +780,7 @@ version_controlled_file() {
grep -F "/${file##*/}/" "$parent/CVS/Entries" 2>/dev/null |
grep '^/[^/]*/[0-9]' > /dev/null
else
- echo "$me: no version control for $file?" >&2
+ warn_ "no version control for $file?"
false
fi
}
@@ -855,11 +870,12 @@ echo "$0: $gnulib_tool $gnulib_tool_options --import ..."
$gnulib_tool $gnulib_tool_options --import $gnulib_modules &&
for file in $gnulib_files; do
- symlink_to_dir "$GNULIB_SRCDIR" $file || exit
+ symlink_to_dir "$GNULIB_SRCDIR" $file \
+ || die "failed to symlink $file"
done
bootstrap_post_import_hook \
- || { echo >&2 "$me: bootstrap_post_import_hook failed"; exit 1; }
+ || die "bootstrap_post_import_hook failed"
# Remove any dangling symlink matching "*.m4" or "*.[ch]" in some
# gnulib-populated directories. Such .m4 files would cause aclocal to fail.
@@ -887,7 +903,7 @@ echo "running: AUTOPOINT=true LIBTOOLIZE=true " \
"$AUTORECONF --verbose --install $no_recursive -I $m4_base $ACLOCAL_FLAGS"
AUTOPOINT=true LIBTOOLIZE=true \
$AUTORECONF --verbose --install $no_recursive -I $m4_base $ACLOCAL_FLAGS \
- || exit 1
+ || die "autoreconf failed"
# Get some extra files from gnulib, overriding existing files.
for file in $gnulib_extra_files; do
@@ -896,7 +912,8 @@ for file in $gnulib_extra_files; do
build-aux/*) dst=$build_aux/${file#build-aux/};;
*) dst=$file;;
esac
- symlink_to_dir "$GNULIB_SRCDIR" $file $dst || exit
+ symlink_to_dir "$GNULIB_SRCDIR" $file $dst \
+ || die "failed to symlink $file"
done
if test $with_gettext = yes; then
@@ -912,7 +929,8 @@ if test $with_gettext = yes; then
a\
'"$XGETTEXT_OPTIONS"' $${end_of_xgettext_options+}
}
- ' po/Makevars.template >po/Makevars || exit 1
+ ' po/Makevars.template >po/Makevars \
+ || die 'cannot generate po/Makevars'
# If the 'gettext' module is in use, grab the latest Makefile.in.in.
# If only the 'gettext-h' module is in use, assume autopoint already
@@ -920,7 +938,8 @@ if test $with_gettext = yes; then
case $gnulib_modules in
*gettext-h*) ;;
*gettext*)
- cp $GNULIB_SRCDIR/build-aux/po/Makefile.in.in po/Makefile.in.in || exit 1
+ cp $GNULIB_SRCDIR/build-aux/po/Makefile.in.in po/Makefile.in.in \
+ || die "cannot create po/Makefile.in.in"
;;
esac
@@ -936,7 +955,8 @@ if test $with_gettext = yes; then
a\
'"$XGETTEXT_OPTIONS_RUNTIME"' $${end_of_xgettext_options+}
}
- ' po/Makevars.template >runtime-po/Makevars || exit 1
+ ' po/Makevars.template >runtime-po/Makevars \
+ || die 'cannot generate runtime-po/Makevars'
# Copy identical files from po to runtime-po.
(cd po && cp -p Makefile.in.in *-quot *.header *.sed *.sin ../runtime-po)
diff --git a/bootstrap.conf b/bootstrap.conf
index 9b42cbf..3ac84f4 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -223,7 +223,6 @@ touch ChangeLog || exit 1
# Override bootstrap's list - we don't use mdate-sh or texinfo.tex.
gnulib_extra_files="
$build_aux/install-sh
- $build_aux/missing
$build_aux/depcomp
$build_aux/config.guess
$build_aux/config.sub
diff --git a/cfg.mk b/cfg.mk
index 39d19b4..d054e5a 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -76,6 +76,17 @@ local-checks-to-skip = \
sc_makefile_check \
sc_useless_cpp_parens
+# Most developers don't run 'make distcheck'. We want the official
+# dist to be secure, but don't want to penalize other developers
+# using a distro that has not yet picked up the automake fix.
+# FIXME remove this ifeq (making the syntax check unconditional)
+# once fixed automake (1.11.6 or 1.12.2+) is more common.
+ifeq ($(filter dist%, $(MAKECMDGOALS)), )
+local-checks-to-skip += sc_vulnerable_makefile_CVE-2012-3386
+else
+distdir: sc_vulnerable_makefile_CVE-2012-3386
+endif
+
# Files that should never cause syntax check failures.
VC_LIST_ALWAYS_EXCLUDE_REGEX = \
(^(HACKING|docs/(news\.html\.in|.*\.patch))|\.po)$$
--
1.7.10.4
8:45 a.m.
On Fri, Jul 20, 2012 at 05:39:43PM -0600, Eric Blake wrote:
Pick up some build fixes in the latest gnulib. In particular,
we want to ensure that official tarballs are secure, but don't
want to penalize people who don't run 'make dist', since fixed
automake still hasn't hit common platforms like Fedora 17.
* .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
* bootstrap: Resync from gnulib.
* bootstrap.conf (gnulib_extra_files): Drop missing, since gnulib
has dropped it in favor of Automake's version.
* cfg.mk (local-checks-to-skip): Conditionally skip the security
check in cases where it doesn't matter.
---
I'm stoked! I figured out how to upgrade to the latest automake
and make our release process secure (tested with 'make dist' on
a system with insecure automake), without penalizing normal
development (tested with 'make check' on the same system).
ACK, since only 'make dist' people are forced to install new
automake.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:52 a.m.
On 07/26/2012 07:45 AM, Daniel P. Berrange wrote:
On Fri, Jul 20, 2012 at 05:39:43PM -0600, Eric Blake wrote:
> Pick up some build fixes in the latest gnulib. In particular,
> we want to ensure that official tarballs are secure, but don't
> want to penalize people who don't run 'make dist', since fixed
> automake still hasn't hit common platforms like Fedora 17.
>
> * .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
> * bootstrap: Resync from gnulib.
> * bootstrap.conf (gnulib_extra_files): Drop missing, since gnulib
> has dropped it in favor of Automake's version.
> * cfg.mk (local-checks-to-skip): Conditionally skip the security
> check in cases where it doesn't matter.
> ---
>
> I'm stoked! I figured out how to upgrade to the latest automake
> and make our release process secure (tested with 'make dist' on
> a system with insecure automake), without penalizing normal
> development (tested with 'make check' on the same system).
ACK, since only 'make dist' people are forced to install new
automake.
Thanks, pushed, and I'm also backporting it to the maint branches.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:18 p.m.
On 07/26/2012 07:52 AM, Eric Blake wrote:
On 07/26/2012 07:45 AM, Daniel P. Berrange wrote:
> On Fri, Jul 20, 2012 at 05:39:43PM -0600, Eric Blake wrote:
>> Pick up some build fixes in the latest gnulib. In particular,
>> we want to ensure that official tarballs are secure, but don't
>> want to penalize people who don't run 'make dist', since fixed
>> automake still hasn't hit common platforms like Fedora 17.
>>
>> * .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
> ACK, since only 'make dist' people are forced to install
new
> automake.
Thanks, pushed, and I'm also backporting it to the maint branches.
Now pushed to v0.9.6-maint; I'm still working on v0.9.11.maint.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
1:43 p.m.
On 07/27/2012 11:18 AM, Eric Blake wrote:
On 07/26/2012 07:52 AM, Eric Blake wrote:
> On 07/26/2012 07:45 AM, Daniel P. Berrange wrote:
>> On Fri, Jul 20, 2012 at 05:39:43PM -0600, Eric Blake wrote:
>>> Pick up some build fixes in the latest gnulib. In particular,
>>> we want to ensure that official tarballs are secure, but don't
>>> want to penalize people who don't run 'make dist', since fixed
>>> automake still hasn't hit common platforms like Fedora 17.
>>>
>>> * .gnulib: Update to latest, for Automake CVE-2012-3386 detection.
>> ACK, since only 'make dist' people are forced to install new
>> automake.
>
> Thanks, pushed, and I'm also backporting it to the maint branches.
Now pushed to v0.9.6-maint; I'm still working on v0.9.11.maint.
Done as well.
Cole, I also backported the fix for BZ 843836 to v0.9.11-maint; be aware
that when you cut a new build for Fedora 17, you will need a fixed
automake on your PATH.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4501
days inactive
4508
days old
4 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Eric Blake