On Fri, 28 Mar 2025, James Browning via devel wrote:
On Thursday, March 27, 2025 9:29:33 PM Pacific Daylight Time Fred Wright via
devel wrote:
On Fri, 28 Mar 2025, Matt Selsky wrote:
[...]
What specifically is currently shebanged to python3 and maybe needs to be
changed?
I'm referring to waf. It's easily worked around, though technically not
having a 'python' command is a bug, since code that works with both Python
2 and Python 3 is supposed to use the more generic 'python' in the shebang
line. The absence of Python 2 doesn't change that.
It breaks the embedded signature few people check.
How many people care about signatures *and* don't trust the ntpsec
signature *and* worry about the waf signature?
It seems to me that that issue could be adequately addressed by including
a comment in the preamble documenting the change. Then someone who
actually cares about the issue could:
1) Download the official waf.
2) Check the signature of the official waf.
3) Diff the ntpsec waf against the official waf.
This ought to be sufficient to verify that waf isn't suffering from "xz
disease" (assuming that the tools used in steps 1-3 aren't compromised).
MR available upon request.
Fred Wright
_______________________________________________
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel
