packages that BuildRequire: gettext that need to change to gettext-devel
Jeremy Katz
katzj at redhat.com
Tue Jun 22 22:32:06 UTC 2004
On Tue, 2004-06-22 at 17:33 -0400, Elliot Lee wrote:
> Adding a 'cvs' dependency to 'gettext' will upset a few people, but it's
> really not that bad a thing.
Actually, the use of cvs like this strikes me as adding an easy way to
trojan builds. Come up with a way to compromise the CVS server or just
DNS mitm to masquerade as it and then drop in whatever you want into
someone's package.
Realistically, build machines should have zero need to talk to an
outside server.
> I looked at autopoint, and it should be reasonably easy to get rid of its
> use of CVS by doing a checkout from archive.tar.gz at package build time
> rather than runtime. Is autopoint even used at all?
I'd prefer this approach be taken just for the security aspects from
above. It looks like autopoint gets invoked by gettextize.
Jeremy
More information about the fedora-devel-list
mailing list