@raito @alanc @dalias i would absolutely believe *autoconf* files to be a vector for malicious code, they're incomprehensible macro noise by nature, and this is just speaking as a nixos maintainer for whom these files are simply constantly broken and should not be used regardless of malice
tbh my view is that release tarballs that aren't simply the git state are a practice that should be abolished. or at least we should diff the heck out of them and figure out how to catch malicious autoconf.