[sword-devel] Autotools Bug?
Jonathan Marsden
jmarsden at fastmail.fm
Mon May 11 16:37:11 MST 2009
Greg Hellings wrote:
> If the configure script can't find a required tool or library, it
> should die and issue an appropriate error message.
Seems reasonable, although "should" is maybe a bit strong. Isn't that
what AC_REQUIRE_CPP does? I'll check it out this evening at home, if I
have a chance.
> In this case, configure was just testing through and couldn't find
> g++ and any of about a dozen other C++ compilers, but it continued
> ...
I think that's the default behaviour. The search for a C++ compiler
done by AC_PROG_CXX just defaults to g++ if it can't find one, rather
than exiting with an error. I'd guess there are historical reasons for
that choice.
> I think it should fail, but the failure should be inside of
> configure.sh ...
OK. I'm fairly sure that's "just" a matter of instructing autoconf to
do what you want it to do.
> One of the problems with running sudo is that in many configurations
> (including the default configuration on Ubuntu) it "remembers" that a
> particular console or session is authorized for a certain amount of
> time, which would make it possible for extraneous sudo commands to
> slip into the configure or make system.
That's the kind of thing that led to sudo -k . Security-conscious users
who use sudo and are about to run untested scripts from unknown source
tarballs should use sudo -k before running them.
> And the claim is not entirely academic - there have been a few
> isolated cases where a library's build system, after asking for root
> permissions, downloaded and installed code which was harmful to the
> user. As such, I wouldn't ever supply my root password to a
> configure script without being VERY sure I knew who it came from.
Sure; but I wouldn't run a script with a non-standard name that even
doesn't look like it was generated by autoconf, in an unfamiliar
apparently-autoconf-using setup, without reading it first anyway -- even
as my regular user ... it might add 'interesting' stuff to my .bashrc ,
or alias su or sudo to do very naughty things, or just /bin/rm -rf ~ :|
One should probably be building and testing untrusted code in a VM
anyway, or if not, at least in a chrooted build environment, if system
security is an important concern. Which is often is, or often should be!
Seeing an unexpected or unexplained sudo password prompt is not an
absolute sign of a problem in a script, IMO -- just a sign that you
forgot to read through the script before running it!
> I have no problems with autogen.sh - I've seen something similar on
> almost every auto-tools based project I've pulled from a VCS.
autogen.sh seems fundamentally unnecessary to me. If a couple of minor
tweaks are made to configure.am and Makefile.am (tweaks which should be
made anyway, since autoreconf really is supposed to work when used on an
autotool-based source tree!), then what autogen.sh does is what
autoreconf normally does -- or else I am misunderstanding what
autogen.sh is all about, hence my questions regarding it :)
> The real problem here is that autotools isn't behaving properly -
> e.g. alerting the user that required programs aren't found.
As noted above, as far as I can tell, that's "just" a matter of telling
autoconf that "alert and die" is the behaviour you want from its
configure script regarding a C++ compiler, since, for whatever reason,
that is not the default. If it really is as easy as adding
AC_REQUIRE_CPP to configure.ac, I'll provide a trivial patch in a few
hours :)
Worst case we might have to use an AC_CHECK_PROG macro to test for this.
It's not a "real problem" either way, I think, more a matter of your
expectations not exactly matching those of whoever created SWORD's
configure.ac file, nor those of autotools' defaults.
Incidentally, running a quick autoscan on the SWORD 1.6.0RC3 sources
suggests there are several things which "should" be being checked for
but which are not currently being checked.
Jonathan
More information about the sword-devel
mailing list