On 08/13/2012 10:19 AM, Eric Blake wrote:
On 08/13/2012 08:04 AM, Cole Robinson wrote:
> On 08/13/2012 09:59 AM, Daniel P. Berrange wrote:
>> On Mon, Aug 13, 2012 at 09:56:49AM -0400, Cole Robinson wrote:
>>> I just pushed a bunch of patches to -maint branches, but both are giving me
>>> distcheck errors that seem related to a gnulib update:
>>>
>>> ERROR: files left in build directory after distclean:
>>> ./.sc-start-sc_vulnerable_makefile_CVE-2012-3386
'make maintainer-clean' doesn't clean up leftover .sc-start files from
one failed syntax check, even if you resolve the syntax check in the
meantime. I don't know why the .sc file is getting bundled into the
tarball, but it should not be; and that would possibly explain the error
you are seeing. There may be further improvements needed on gnulib's
side (hence the cc), but for now, I think the workaround for you is to
just manually delete that .sc-start* file prior to running distcheck.
Found the root of the issue - it's libvirt's fault. Gnulib's maint.mk
takes the initial definition of local-checks-to-skip, and from that,
creates a macro 'local-checks' using a := rule:
local-check := \
$(patsubst sc_%, sc_%.z, \
$(filter-out $(local-checks-to-skip), $(local-checks-available)))
But libvirt's cfg.mk is conditionally running the local-checks-to-skip
rule, via:
# Most developers don't run 'make distcheck'. We want the official
# dist to be secure, but don't want to penalize other developers
# using a distro that has not yet picked up the automake fix.
# FIXME remove this ifeq (making the syntax check unconditional)
# once fixed automake (1.11.6 or 1.12.2+) is more common.
ifeq ($(filter dist%, $(MAKECMDGOALS)), )
local-checks-to-skip += sc_vulnerable_makefile_CVE-2012-3386
else
distdir: sc_vulnerable_makefile_CVE-2012-3386
endif
Because distdir depends on the full sc_ name, rather than the sc_.z
rewrite, maint.mk's timing rules don't get properly run, so the
.sc-start-* file doesn't get cleaned up. I think with a bit more
tweaking to libvirt's cfg.mk, I can get this working again.
Meanwhile, would gnulib like to incorporate this hack from libvirt?
After all, the current Automake vulnerability only affects you if you
run 'make dist' or 'make distcheck'; it does not impact normal
day-to-day development. Therefore, running the syntax check only in the
vulnerable cases, and in such a way that the syntax check stops make
before the vulnerability can actually be triggered, without penalizing
day-to-day development for people relying on their distro rather than
using a hand-built automake, seems like it would be nice to share among
multiple packages.
[It's a shame that more than a month after the CVE was reported and both
Fedora 17 and RHEL 6.3 are still vulnerable, but that's a story for
another day.]
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org