mgorny-nyan (he) :autism:🙀🚂🐧<p>So I've just bumped a bunch of old <a href="https://social.treehouse.systems/tags/Gentoo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gentoo</span></a> packages to EAPI 8. Some of them haven't been updated for 6 years. And do you know what's best? They still worked — their build systems work, they compile and they just work. Unlike most of the stuff developed these days.</p><p><a href="https://social.treehouse.systems/tags/autotools" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>autotools</span></a> <a href="https://social.treehouse.systems/tags/C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>C</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
225active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#autotools
0 posts · 0 participants · 0 posts today
oblate<p>I have a long-standing project which I am converting to use C++ modules. I've decided that using <a href="https://mastodon.social/tags/perl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>perl</span></a> to generate the Makefile is vastly easier than using <a href="https://mastodon.social/tags/autotools" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>autotools</span></a> and <a href="https://mastodon.social/tags/cmake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cmake</span></a>. </p><p>At least I can understand WTF is going on.</p><p>In the end, programmatical beats automagical.</p>
Kornel<p>Seriously, in retrospect, <a href="https://mastodon.social/tags/autotools" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>autotools</span></a> itself is a massive supply-chain security risk.</p><p>It has normalized shipping and running tens of thousands of lines of arbitrary executable code without any safeguards.</p><p>Code that is so mind-numbingly awful that nobody will review it, and written in a language that is full of gotchas that are sneaky eval gadgets.</p>
mgorny-nyan (he) :autism:🙀🚂🐧<p>I suppose everyone and their grandmother is now using the xz/sshd exploit to further their own agenda, so I am going to take this opportunity to further mine as well.</p><p>1. <a href="https://social.treehouse.systems/tags/Autotools" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Autotools</span></a> are a bad build system. If configure scripts are completely unreadable, there should be no surprise that people won't notice obfuscated malicious code in there, provided that everything else is obfuscated by design.</p><p>2. Static linking and vendoring is bad. Do you know why the prompt <a href="https://social.treehouse.systems/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> response was possible? Because we just had to revert to older liblzma. We didn't have to check, patch and re-release hundreds of projects. It wouldn't be this easy with <a href="https://social.treehouse.systems/tags/RustLang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RustLang</span></a> and cargo.</p><p>3. You can blame <a href="https://social.treehouse.systems/tags/OpenSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSource</span></a> for being underfunded and open to abuse in core system packages. However, no IT project can be resilient to a sufficiently powerful bad actor, and that it happened to xz is just an incident. Corporate projects aren't resilient to it, neither is proprietary, closed-source software.</p><p>So, embrace <a href="https://social.treehouse.systems/tags/Meson" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Meson</span></a>, embrace dynamic linking, embrace distribution packaging and donate to open source developers.</p><p><a href="https://social.treehouse.systems/tags/Gentoo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gentoo</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload