On 4/9/24 15:22, Sam James wrote:
Paul Eggert <egg...@cs.ucla.edu> writes:
On 4/9/24 14:58, Sam James wrote:
Meson doesn't allow user-defined functions
Meson has ways to execute arbitrary user-defined code, so it's not
immune to this sort of exploit.
To be clear - not saying it's immune.
Sure, but someone who's not expert in Meson could easily misread "Meson
doesn't allow user-defined functions" and think that this means Meson is
immune to an xz-style attack, which it's not.
Just that it scopes the
user-defined code part to clearly defined sections.
As does Autoconf. To a determined attacker I daresay there's not much
difference.
I think it makes sense to optimise for ease of review.
Ease of review definitely a good thing, all other things being equal.
It's just easy to go too far the other
way too and not change anything
I'm certainly not advocating that! All I'm saying is that we should use
our limited development resources wisely.
