On Mon, 14 Aug 2023, Gavin Smith wrote:
It seems that people are more likely to be have broken or unusual setups when reading an INSTALL file than when reading other text files, making UTF-8 more of a potential problem.* A "bootstrap" command is recommended as the first step: The following shell commands: test -f configure || ./bootstrap ./configure make make install should configure, build, and install this package. However, a "bootstrap" command does not exist in all packages (and isn't specified by the GNU coding standards(*)), making this INSTALL file less useful to include in other packages. (*) https://www.gnu.org/prep/standards/html_node/Managing-Releases.html#Managing-Releases). The text also says, several paragraphs later, that the "bootstrap" command can download data from a network, which is not respecting the user's privacy and the other downsides of network access (expense, reliability).
You make good points about unecessary use of UTF-8 and particularly the "bootstrap" command.
In a normal GNU package, there should be no need for a bootstrap command since the provided tarball should already be completely prepared.
If the software is accessed if a source repository (e.g. git), then it is much more likely that some "bootstrap" magic is required. Unfortunately, the "bootstrap" magic is highly project-specific. It might just execute already installed Autotools, or it might do something like check out sub-repositories from other projects.
To me, an arbitrary bootstrap script is both a privacy and security hazard without the user carefully studying the design of the script. It is capable of doing anything that the user is capable of doing. This is in addition to the possible need for "network access" which you already mentioned.
There are use-cases where software is compiled in secure environments, or otherwise without network access.
It is true that Autotools-based packages could be seen as a security menace because they execute arbitrary scripts, but at least they are usually released in a way which allows them to be validated.
Any generic instructions should make the user aware of these issues. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
