On Tue, 2024-04-09 at 14:50 -0700, Paul Eggert wrote: > On 4/9/24 14:40, Jeffrey Walton wrote: > > > Code provenance and code integrity was not enforced. Part of the > > problem is the Autotools design. It is from a bygone era. > > > No, Andreas is right. This isn't an Autotools-vs-Meson thing. > > Most of the Autotools-based projects I help maintain would have been > immune to this particular exploit, partly because they don't maintain > their own of Gnulib .m4 files. Conversely, any Meson-based project that > had the same sort of out-of-repository sloppiness and lack of review > that xz had, would be vulnerable to similar attacks.
Xz doesn't either, the exploit was unique to the distributed `make dist` tarballs. Which is an Autotools quirk present in all Autotools projects. I won't deny that a project could use Meson and be sloppy, a project could use SSL/TLS/whatever and be completely insecure. But Autotools encourages and semi-requires this sloppy behavior, and CMake and Meson strongly discourage this behavior. -Jonathon