Hi - > In Autotools, `make dist` produces a tarball that contains many > files not present in the source respoitory, it includes build system > core files and this fact was used for the xz attack. In contrast, > for newer build systems the "release tarball" is purely a snapshot > of the source repository: there is no `cmake dist`, and `meson dist` > is essentially `git archive` [...]
For what it's worth, not every auto* using project uses "make dist" to build their release tarballs. If they can get over the matter of including auto*-generated scripts being located in the source repo, then indeed a "git archive" is sufficient. Several of the projects I work on do just this. (As a bonus, that makes the git repos immediately buildable by developers, without need to re-auto* anything.) - FChE
