Am 30.03.2024 um 16:35 schrieb Daniil Gentili <daniil.gent...@gmail.com>: >> That would break lots of tools as it requires extra dependencies so it is >> not something that would could in stable versions. > Btw, I do not believe that "it would require end users to install autotools > and bison in order to compile PHP from tarballs" is valid reason to delay the > patching of a serious attack vector ASAP.
I agree with Jakub that removing configure would just shift the problem, not solve it, while at the same time puts a new burden on people compiling PHP from downloaded archives. But my main question is: I fail to see the difference whether I plant my malicious code in configure, configure.ac or *.c: Someone has to review the changes and notice the problem. And we have to trust the RMs. What am I missing? Regards, - Chris