Anybody using the old waf?
Fred Wright
fw at fwright.net
Sat Mar 29 20:52:15 UTC 2025
On Fri, 28 Mar 2025, James Browning via devel wrote:
> On Thursday, March 27, 2025 9:29:33 PM Pacific Daylight Time Fred Wright via
> devel wrote:
>> On Fri, 28 Mar 2025, Matt Selsky wrote:
[...]
>>> What specifically is currently shebanged to python3 and maybe needs to be
>>> changed?
>> I'm referring to waf. It's easily worked around, though technically not
>> having a 'python' command is a bug, since code that works with both Python
>> 2 and Python 3 is supposed to use the more generic 'python' in the shebang
>> line. The absence of Python 2 doesn't change that.
>
> It breaks the embedded signature few people check.
How many people care about signatures *and* don't trust the ntpsec
signature *and* worry about the waf signature?
It seems to me that that issue could be adequately addressed by including
a comment in the preamble documenting the change. Then someone who
actually cares about the issue could:
1) Download the official waf.
2) Check the signature of the official waf.
3) Diff the ntpsec waf against the official waf.
This ought to be sufficient to verify that waf isn't suffering from "xz
disease" (assuming that the tools used in steps 1-3 aren't compromised).
MR available upon request.
Fred Wright
More information about the devel
mailing list