On Sun, Mar 31, 2024 at 06:04:47AM -0500, G. Branden Robinson wrote: > At 2024-03-31T11:30:25+0100, Colin Watson wrote: > > I looked into what it would take for Debian's groff package to do a > > full rebootstrap from its packaged version of gnulib. It seems > > relatively straightforward, but it requires including bootstrap and > > bootstrap.conf in tarballs so that we know what modules to use. > > 2 lines of diff naming the two files! I don't think it _gets_ more > straightforward. > > It's so close to April Fool's Day, I would have been tickled if you'd > submitted it more like this.
:-) > They say this was a "sophisticated attacker", but it also appears to be > one who didn't grasp that "> /dev/null" is redundant with "grep -q". Some of the sophistication was burying the actual exploit in confusion, of course ... > > I've omitted README.git to ensure that we still warn people who don't > > know what they're doing that running "./bootstrap" may not be the > > right place to start. > > I approve of this change. Push it whenever you're ready unless you > would like to await feedback from others. (Hard to imagine a case > against, though.) Done, thanks. -- Colin Watson (he/him) [cjwat...@debian.org]
