Gioele Barabucci <gio...@svario.it> writes: > Just as an example, bootstrapping coreutils currently requires > bootstrapping at least 68 other packages, including libx11-6 [1]. If > coreutils supported <nodoc> [2], the transitive closure of its > Build-Depends would be reduced to 20 packages, most of which in > build-essential. > > [1] > https://buildd.debian.org/status/fetch.php?pkg=coreutils&arch=amd64&ver=9.4-3.1&stamp=1710441056&raw=1 > [2] https://bugs.debian.org/1057136
Coreutils in Debian uses upstream tarballs and does not do a full bootstrap build. It does autoreconf instead of ./bootstrap. So the dependencies above is not the entire bootstrapping story to build coreutils from git compared to building from tarballs. It would help if upstreams would publish PGP-signed 'git-archive'-style tarballs, including content from git submodules in them. Relying on signed git tags is not reliable because git is primarily SHA1-based which in 2019 cost $45K to do a collission attack for. /Simon
signature.asc
Description: PGP signature
