• Corngood@lemmy.ml
    link
    fedilink
    English
    arrow-up
    8
    ·
    9 months ago

    cmake compiles to makefiles as well (it just also supports some other backends). I’m not sure why that matters though. In both cases the makefile is generated.

    • addie@feddit.uk
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Not that I’m the biggest fan of CMake’s syntax, but they are fairly concise and standardised. The XZ backdoor hid in amongst thousands of lines of autotools jank that very few people would be able to audit. A short CMakeList that generates a Makefile is a much harder place to hide something nefarious.

      • Corngood@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        There’s actually not that much autotools jank, really. There’s configure.ac and a few Makefile.am. The CMakeLists.txt in the root is bigger than any of those files.

        There’s also some stuff from autotools archive in m4/. IMO that’s a bad practice and we should instead be referencing them as a build dependencies.

        I’m not convinced this backdoor would have been significantly more difficult to hide in the cmake code.

        • flying_sheep@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          My point was that packagers should use straight up VCS and run all build tools instead of relying on partially pre-built tarballs uploaded by the upstream maintainers.

      • Hello Hotel@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Its a good practice to make the auto generated code a part of the .gitignore list. Any language installable on peoples machines can be used to build these makefiles. Ya know a language is on that list? Makefile!