gEDA-dev: _Other_ code problems
Bernd Jendrissek
bernd.jendrissek at gmail.com
Thu May 8 15:10:53 EDT 2008
On Mon, Apr 28, 2008 at 9:19 AM, der Mouse <mouse at rodents.montreal.qc.ca> wrote:
> > I'm surprised the configury let you select it.
>
> Oh, I didn't use configure. configure scripts are horrible in two big
> respects[%]: (1) something like half of them get at least one thing
> wrong in my experience, and it's hell to convince them they're wrong
> when they are - I've typically ended up applying private patches after
> running configure in those cases; (2) they're a security disaster
> waiting to happen (very hard to sandbox, mind-numbing to eyeball-check,
> much harder to mechanically check out than the program they're
> configuring in almost all cases, which adds up to "perfect trojaning
> target").
FWIW this is one reason why I try very hard to regenerate configure
scripts and makefiles with autoreconf instead of just trusting
whatever megabyte shell script ./configure happens to be in any random
tarball. Which was why I was very happy to see configure and
Makefile.in disappear from CVS.
OTOH, if you're compiling source, are you personally checking each and
every line of C code? That, too, could contain trojan horses...
(granted, they're more in-your-face there than in some huge shell
script nobody really looks at)
> [%] I'm not alone in holding this opinion; just today, on another list,
> someone said he was "starting to wonder why the Open Source developers
> are so enamoured with the use of libtool, automake & autoconf"....
Those who do not understand the autotools are doomed to reinvent them :)
More information about the geda-dev
mailing list