>
>
>
> > I think the key difference here is that Autotools allows arbitrarily
> generated code to be executed at any time. More modern build systems
> require the use of specific commands/files to run arbitrary code, e.g.
> CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson
> ([`run_command()`][1]), Cargo ([`build.rs`][4]).\
>
> To me it seems that Cargo is the absolute worst case with respect to
> supply chain attacks.
>
> It pulls in dependencies recursively from a relatively uncurated
> list of projects, puts the source of all those dependencies into a
> hidden directory in home, and runs Build.rs automatically with
> user permissions.
>

100% this. Wait until you learn how proc macros work.