Hi! While analyzing the recent xz backdoor hook into the build system [A], I noticed that one of the aspects why the hook worked was because it seems like «autoreconf -f -i» (that is run in Debian as part of dh-autoreconf via dh) still seems to take the serial into account, which was bumped in the tampered .m4 file. If either the gettext.m4 had gotten downgraded (to the version currently in Debian, which would not have pulled the tampered build-to-host.m4), or once Debian upgrades gettext, the build-to-host.m4 would get downgraded to the upstream clean version, then the hook would have been disabled and the backdoor would be inert. (Of course at that point the malicious actor would have found another way to hook into the build system, but the less avenues there are the better.)
I've tried to search the list and checked for old bug reports on the debbugs.gnu.org site, but didn't notice anything. To me this looks like a very unexpected behavior, but it's not clear whether this is intentional or a bug. In any case regardless of either position, it would be good to improve this (either by fixing --force to force things even if downgrading, or otherwise perhaps to add a new option to really force everything). [A] <https://lists.debian.org/debian-devel/2024/03/msg00367.html> Longish mail, search for "try to go in detail" for the analysis. Thanks, Guillem
