From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <binutils-return-65146-listarch-binutils=sources.redhat.com@sourceware.org>
Received: (qmail 12106 invoked by alias); 31 Mar 2010 20:20:25 -0000
Received: (qmail 12088 invoked by uid 22791); 31 Mar 2010 20:20:24 -0000
X-SWARE-Spam-Status: No, hits=-1.9 required=5.0 	tests=BAYES_00,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Received: from mail.codesourcery.com (HELO mail.codesourcery.com) (38.113.113.100)     by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 31 Mar 2010 20:20:20 +0000
Received: (qmail 18397 invoked from network); 31 Mar 2010 20:20:19 -0000
Received: from unknown (HELO digraph.polyomino.org.uk) (joseph@127.0.0.2)   by mail.codesourcery.com with ESMTPA; 31 Mar 2010 20:20:19 -0000
Received: from jsm28 (helo=localhost) 	by digraph.polyomino.org.uk with local-esmtp (Exim 4.69) 	(envelope-from <joseph@codesourcery.com>) 	id 1Nx4Of-0008L0-SI; Wed, 31 Mar 2010 20:20:17 +0000
Date: Wed, 31 Mar 2010 20:53:00 -0000
From: "Joseph S. Myers" <joseph@codesourcery.com>
To: Jim Meyering <jim@meyering.net>
cc: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>,      Tristan Gingold <gingold@adacore.com>, Binutils <binutils@sourceware.org>
Subject: Re: [Patch]: upgrade to automake 1.11.1
In-Reply-To: <87d3yki851.fsf@meyering.net>
Message-ID: <Pine.LNX.4.64.1003312016590.30806@digraph.polyomino.org.uk>
References: <4CC4EBAB-2BE1-428D-BBB5-560CFED33DDE@adacore.com>   <20100331082751.GC23926@ins.uni-bonn.de> <877hoslegf.fsf@meyering.net>   <Pine.LNX.4.64.1003311617210.27338@digraph.polyomino.org.uk>  <87d3yki851.fsf@meyering.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Mailing-List: contact binutils-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <binutils.sourceware.org>
List-Subscribe: <mailto:binutils-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: binutils-owner@sourceware.org
X-SW-Source: 2010-03/txt/msg00470.txt.bz2

On Wed, 31 Mar 2010, Jim Meyering wrote:

> > Checking for world-writable distributed directories might make sense (that
> 
> The net effect (world-writable dist dirs) is not the real risk.
> The risk is that while the tarball is being created, the directories
> being put into it are world writable, and so can potentially
> be made to contain anything.  If you or anyone else then use the

But checking for world-writable directories in the tarball seems like a 
more reliable way of determining whether the build of the tarball was 
exposed to the risk than checking for "make dist" rules that may be dead 
code for any package not using "make dist" to make its releases (while 
failing to check for other packaging scripts, such as that used by GCC, 
that also implement that former requirement of the GNU Coding Standards).

-- 
Joseph S. Myers
joseph@codesourcery.com