this post was submitted on 07 Apr 2024
82 points (93.6% liked)

Technology

59055 readers
3173 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
82
Eric S. Raymond / autodafe · Tools for freeing your project from the clammy grip of autotools. (gitlab.com)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
15 comments fedilink hide all child comments
 

Crossposted from [email protected]

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 6 months ago (2 children)

cmake compiles to makefiles as well (it just also supports some other backends). I'm not sure why that matters though. In both cases the makefile is generated.

[–] [email protected] 5 points 6 months ago (2 children)

Not that I'm the biggest fan of CMake's syntax, but they are fairly concise and standardised. The XZ backdoor hid in amongst thousands of lines of autotools jank that very few people would be able to audit. A short CMakeList that generates a Makefile is a much harder place to hide something nefarious.

[–] [email protected] 1 points 6 months ago

Its a good practice to make the auto generated code a part of the .gitignore list. Any language installable on peoples machines can be used to build these makefiles. Ya know a language is on that list? Makefile!

[–] [email protected] 2 points 6 months ago (1 children)

There's actually not that much autotools jank, really. There's configure.ac and a few Makefile.am. The CMakeLists.txt in the root is bigger than any of those files.

There's also some stuff from autotools archive in m4/. IMO that's a bad practice and we should instead be referencing them as a build dependencies.

I'm not convinced this backdoor would have been significantly more difficult to hide in the cmake code.

[–] [email protected] 3 points 6 months ago (1 children)

My point was that packagers should use straight up VCS and run all build tools instead of relying on partially pre-built tarballs uploaded by the upstream maintainers.

[–] [email protected] 1 points 6 months ago

Oh yeah, that was pretty much the point I was trying to make too.

[–] [email protected] 1 points 6 months ago

It does? I guess I never looked inside that build directory.