[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behaviour of Build / Configure in GNU programs

From: Ludovic Courtès
Subject: Re: Behaviour of Build / Configure in GNU programs
Date: Tue, 07 Jul 2015 11:32:33 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

address@hidden (Alfred M. Szmidt) skribis:

>    I'm seeing an increasing number of programs, whose configure and/or
>    makefile have been written, to open a connection to some remote url
>    (usually controlled by the project) download file(s) from there and
>    build them into the software.
>    I think this is a bad idea, from many points of view: Scalability,
>    Security and Reproducability.  I haven't found any such instances
>    in GNU Software, but I think we should put a statement about it in
>    the GCS.
> Seriously?  Really curious what programs do this totally crazy
> behaviour.

Unfortunately this is becoming commonplace.  The Python build system
(setuptools), Ruby’s, and probably other language-specific tools do that
by default (that is, they check for a local dependency and fall back to
downloading it silently.)  I’ve seen C++ projects do that as well.

Note that there is no real security and reproducibility issue *if* the
tools verify that the hash of the downloaded code is as expected.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]