@raito @alanc @dalias wonder if the solution here is to construct things to evaluate whether an autoconf script is one that could have been generated by any released version of autoconf and check the maintainers' work, so we could find out if there's malicious stuff going on (even if distros just ignore the release tarball anyway)