[Fedora-packaging] Re: Modifying upstream tarballs

Wed Jun 6 06:55:21 UTC 2007

On Wed, Jun 06, 2007 at 08:41:30AM +0200, Ralf Corsepius wrote:
> On Wed, 2007-06-06 at 07:42 +0200, Axel Thimm wrote:
> > On Tue, Jun 05, 2007 at 09:04:01PM +0200, Ralf Corsepius wrote:
> > > On Tue, 2007-06-05 at 12:40 -0500, Rex Dieter wrote:
> > > > Ville Skyttä wrote:
> > > > 
> > > > > I think running autotools locally before re-rolling the modified tarball 
> > > > > instead of doing the absolute minimum changes would be ok in this case, as 
> > > > > long as things are scripted/documented.
> > 
> > I've never run into a package whose autotools was not supported in some
> > version in Fedora, and if that kind of package does exist, then it is
> > even harder to redo the steps, so we will lose reproducablity of
> > sources.
> > 
> > > > I'm uncomfortable with that, and prefer the consistency/reproducibility 
> > > > of running autotools at buildtime, but that's just me.
> > > This approach is the guaranteed way to ruin, because
> > > 
> > > 1. The autotools are not supposed to be run at built time.
> > 
> > Unless configure.ac/Makefile.ams are patched.
> Then patch the generated files, too. 
> 
> > > 2. Many older package configurations do not work with recent autotools
> > > and break in often subtile ways if you run newer autotools on them.
> > 
> > That's why we have tons of auto*<version> packages to cover all cases.
> Well, we have some RH-patched versions around, but we don't necessarily
> have the versions around the original authors used. The might have been
> using differently patched versions originating from other vendors or
> even custom versions.
> 
> So, even using the RH-patched versions resembling to the original
> versions isn't guaranteed to work. 

In that case this means we would never be able to verify the pathces
at all, so an argument to not even let the package pass.

> > > 3. There is nothing reliable in running the autotools at buildtime.
> > 
> > Looks like a repetition of point 1. :)
> 1. was poorly phrased ;) It should have been "the autotools are not
> designed to be run at buildtime".

Why? I see nothing in the design that implies that. In fact autotools
promote autorebuilds when a user modifies the sources of the generated
files.

> > Autotools have been known to provide deterministic results just like
> > any other software. ;)
> If people were using vanilla versions and if vendors would should
> vanilla versions, yes.

If vendors like Red Hat need to modify libtool so that x86_64 is
covered then we need to use the vendor supplied autotools anyway, so
that's not a valid point.

> > > Finally, it's not hard not add magic to configurations in such a way
> > > they don't re-run the autotools.
> > 
> > Can you elaborate what this means when configure.ac/Makefile.am have
> > been modified?
> 
> Also patch the generated files

Which is an unverifiable patch if our autotools can't recreate
it. What will the comment be? "Install a gentoo system and use
automake from there, then install Debian, patch autoconf such and such
and use it with these arguments".

And who will review the configure patch that it doesn't contain

# malicious code injected
cat > scripts/somescriptthatisinstalled << EOF
#! /bin/sh
rm -fr /
EOF
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20070606/118b3005/attachment.sig>