Jim Meyering wrote: > There was a nasty flaw in _every_ automake-generated Makefile.in > until recently[*]. When making releases, most of us who maintain
To clarify, the vulnerability affects the "distdir" commands that appear only in so-called top-level Makefile.in files. Note however, that some packages include sub-packages, so it's not enough to search the Makefile.in file in the top-level directory. > automake-using packages run "make dist" or "make distcheck". > Even if you don't, your users may. The flaw put all of us at risk. ... That's why this command searches all Makefile.in files: > tar --to-stdout -x -f $tgz '*/Makefile.in' | grep -e '-perm -777 ' -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
