Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/leftpaddotpy/statuses/112182864565024236">jade (leftpaddotpy@hachyderm.io)'s status on Sunday, 31-Mar-2024 04:54:40 JST</a><a href="https://hachyderm.io/@leftpaddotpy" title="leftpaddotpy@hachyderm.io"><img src="https://gnusocial.jp/avatar/179725-48-20230927083107.webp" width="48" height="48" alt="jade" style="position: absolute; left: 0; top: 0;">jade</a><div><a href="https://nixos.paris/@raito/112181906474172902" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/40873" title="dalias@hachyderm.io">Rich Felker</a></li><li><a href="https://gnusocial.jp/user/149449" title="alanc@fosstodon.org">Alan Coopersmith</a></li></ul></div></section><article><p><a href="https://nixos.paris/@raito">@raito</a> <a href="https://fosstodon.org/@alanc">@alanc</a> <a href="https://hachyderm.io/@dalias">@dalias</a> i would absolutely believe *autoconf* files to be a vector for malicious code, they're incomprehensible macro noise by nature, and this is just speaking as a nixos maintainer for whom these files are simply constantly broken and should not be used regardless of malice</p><p>tbh my view is that release tarballs that aren't simply the git state are a practice that should be abolished. or at least we should diff the heck out of them and figure out how to catch malicious autoconf.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879252#notice-5727582">In conversation</a><time datetime="2024-03-31T04:54:40+09:00" title="Sunday, 31-Mar-2024 04:54:40 JST">about 8 months ago</time> <span>from <span><a href="https://hachyderm.io/@leftpaddotpy/112182864565024236" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@leftpaddotpy/112182864565024236">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
jade (leftpaddotpy@hachyderm.io)'s status on Sunday, 31-Mar-2024 04:54:40 JSTjade
in reply to
@raito @alanc @dalias i would absolutely believe *autoconf* files to be a vector for malicious code, they're incomprehensible macro noise by nature, and this is just speaking as a nixos maintainer for whom these files are simply constantly broken and should not be used regardless of malice
tbh my view is that release tarballs that aren't simply the git state are a practice that should be abolished. or at least we should diff the heck out of them and figure out how to catch malicious autoconf.
In conversationabout 8 months ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice