Antonio Russo <aerusso@aerusso.net> writes: > 1. Move towards allowing, and then favoring, git-tags over source tarballs Some people have suggested this before -- and I have considered adopting that approach myself, but one thing that is often overlooked is that building from git usually increase the Build-Depends quite a lot compared to building from tarball, and that will more likely trigger cyclic dependencies. People that do bootstrapping for new platforms or cross-platform dislike such added dependency. One response to that may be "sorry, our concerns for supply chain security trumps your desire for easier building" but so far I believe the approach has been to compromise a little on supply chain side (i.e., building from tarballs) and compromise a little on the bootstrap/crossbuild smoothness (e.g., adding nodoc or nocheck targets). Moving that needle isn't all that trivial, although I think I'm moving myself to a preference that we really need to build everything from source code and preferrably not even including non-source code files because they may dormant and activated later on a'la the xz attack. An old irk of mine is that people seems to believe that running 'autoreconf -fi' is intended or supposed to combat problems related to this: autoreconf was never designed for that purpose, nor does it achieve it realiably. Many distributions have adopted a preference to do run 'autoreconf' to "re-bootstrap" a project from source code. This misses a lot of generated files, and sometimes generate incorrect (and possibly harmful) newly generated files. For example: https://gitlab.com/libidn/libidn2/-/issues/108 /Simon
Attachment:
signature.asc
Description: PGP signature