All libtool versions prior to 2.2.6b release are vulnerable to serious issue: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3736 It's not a Xfce problem, but I'm just saying there's no need to care about older version than 2.2.6b anymore. Therefore we can use the new syntax for packages: Remove any AC_PROG_LIBTOOL (and if there is AC_DISABLE_STATIC, that too) and replace it with this: LT_PREREQ([2.2.6]) LT_INIT([disable-static]) That's the new libtool syntax starting from 2.2.6: http://www.gnu.org/software/libtool/manual/html_node/LT_005fINIT.html If someone really wants static libraries/archives out of Xfce4 packages, he can still override it with --enable-static (propably not useful at all on any *nix systems, but it's still there :) This is from Thunar's and libxfce4ui's configure.ac. This is correct for old syntax so I suggest updating it too to be consistent. AC_DISABLE_STATIC() AC_PROG_LIBTOOL() --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] This is from xfdesktop's configure.ac. This is missing the call to disable static libs by default. AC_PROG_LIBTOOL --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] <- eww! And these are affected as well: exo garcon libxfce4util libxfcegui4 xfce4-panel xfce4-session xfce4-settings xfconf xfdesktop And most of plugins, but because most plugins are not libraries but executables it's not a real issue for them. However, these plugins are exceptions to that rule and build a library too: thunar-shares-plugin xfce4-datetime-plugin (see bug 6659 I already had filed before) xfce4-notes-plugin xfce4-playercontrol-plugin xfce4-sensors-plugin Overall this would reduce the compile time of Xfce packages and would save distribution maintainers the need to call --disable-static by hand in Package manager's rules (debian/rules, ebuild, PKGBUILD, etc.). And it also saves HDD space in the end :)
Moving to dev tools.
Created attachment 3236 Update dev tools for LT_PREREQ First of all I recommend the patch above. It makes autogen work with LT_PREREQ and warns if AC_PROG_LIBTOOL is used.
While we're at this, we also might consider bumping some other minimum versions. I suggest the following versions: automake 1.9 (we use 1.8 in various places, 1.10/1.11 has some known security issues, but 1.11.1 is very new). libtool 2.2.6 (for new macro). autoconf 2.60 (we use 2.50 mostly, but a small bump doesn't hurt', 2.60 is around a long time, xorg also used 2.60). See also http://live.gnome.org/GnomeGoals/ModernAutotools, but those versions are too new without any reason. I think the versions above are very reasonable, so if nobody has any objections, I'll patch the core conponents and apply the dev-tools patch, so other will slowly move to the new libtool macro too.
(In reply to comment #3) > While we're at this, we also might consider bumping some other minimum > versions. > I suggest the following versions: > automake 1.9 (we use 1.8 in various places, 1.10/1.11 has some known security > issues, but 1.11.1 is very new). libtool 2.4 dropped support entirely for older than 1.9, so this makes sense :) +1 from me
Nick, can you apply the patch? It doesn't look like anyone would complain against it, and if they do as written in comment 1 you can still decide to install static libraries.
Ok pushed the fix. For those who read this bug for more information, please AC_DISABLE_STATIC() AC_PROG_LIBTOOL() in configure.ac.in to LT_PREREQ([2.2.6]) LT_INIT([disable-static])