Re: xz backdoor

[Colin Watson <cjwatson@debian.org>]

On Sun, Mar 31, 2024 at 10:10:42AM +0200, Sirius wrote:
> Not worth boiling the ocean over, but is there an estimate of how many
> packaged projects have customisations to their autoconf that is not found
> in the upstream autoconf project? If that number is low single digit
> percent, it may motivate those projects to upstream their modifications.
> If it is double digits percent, it might not be possible to disallow
> vendoring the files.

This is difficult to answer because it's comparing apples and oranges to
some extent: not all autoconf customizations are vendored or would make
any kind of sense to upstream.  For example,
https://gitlab.com/man-db/man-db/-/blob/main/m4/man-arg-config-file.m4
is obviously specific to that project; it's just in a separate file for
the same reasons that projects past a certain size don't typically put
all their code in a single file.

I suspect the question you're aiming for is something like "how many
packaged projects have copied autoconf macros from elsewhere and
modified them but kept the same file names, so that a naïve attempt to
update them would drop those modifications".  My guess is that the
number here is very low - IME it's much more common in such cases to
either rename the macro file to be obviously project-specific or to find
some workaround that doesn't require changing the upstream macro - but
I've never seen anything resembling a robust analysis of this and I may
well have a skewed view.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]