> > > > > I think the key difference here is that Autotools allows arbitrarily > generated code to be executed at any time. More modern build systems > require the use of specific commands/files to run arbitrary code, e.g. > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\ > > To me it seems that Cargo is the absolute worst case with respect to > supply chain attacks. > > It pulls in dependencies recursively from a relatively uncurated > list of projects, puts the source of all those dependencies into a > hidden directory in home, and runs Build.rs automatically with > user permissions. >
100% this. Wait until you learn how proc macros work.
