Re: Validating tarballs against git repositories
On Sat, Mar 30, 2024 at 11:55:04AM +0000, Luca Boccassi wrote:
>...
> In the end, massaged tarballs were needed to avoid rerunning
> autoconfery on twelve thousands different proprietary and
> non-proprietary Unix variants, back in the day. In 2024, we do
> dh_autoreconf by default so it's all moot anyway.
>...
The first step of the xz exploit was in a vendored gnulib m4 file that
is not (and should not be) in git and that does not get updated by
dh_autoreconf.
cu
Adrian
Reply to: