On Tue, 2024-04-09 at 14:50 -0700, Paul Eggert wrote:
> On 4/9/24 14:40, Jeffrey Walton wrote:
> 
> > Code provenance and code integrity was not enforced. Part of the
> > problem is the Autotools design. It is from a bygone era.
> 
> 
> No, Andreas is right. This isn't an Autotools-vs-Meson thing.
> 
> Most of the Autotools-based projects I help maintain would have been  
> immune to this particular exploit, partly because they don't maintain  
> their own of Gnulib .m4 files. Conversely, any Meson-based project that  
> had the same sort of out-of-repository sloppiness and lack of review  
> that xz had, would be vulnerable to similar attacks.

Xz doesn't either, the exploit was unique to the distributed `make dist` tarballs. Which is an Autotools quirk present in all Autotools projects.

I won't deny that a project could use Meson and be sloppy, a project could use SSL/TLS/whatever and be completely insecure. But Autotools encourages and semi-requires this sloppy behavior, and CMake and Meson strongly discourage this behavior.

-Jonathon