I agree that autocrap is the worst build system in use now. However writing plain Makefiles is not an option for projects that are more complex than hello world. It is very difficult to write them portably (between various OSes, compilers and make implementations) and to support cross compiling. That’s why developers used to write configure scripts that evolved to autocrap.

Happily we have better alternatives like cmake and meson (I personally prefer cmake and don’t like meson, but it is also a good build system solving the complexity problem).

A lot of projects would be better served with a plain Makefile although for widely posted projects something is required.

Qemu has used a single readable POSIX shell script for configure although recently most of the tests are in meson (avoiding some Makefile shenanigans in the process). While it’s a new syntax to learn at least the intent is clear and reviewable.

Good writeup. I think the basic issue is a lack of static scanning for open source repos. No, it may not have caught this particular thing, but who knows. This was clever. Devious even. Spread out over time to avoid detection. There may be more out there. We need some scanning tools to be able to detect patterns like this if possible, or new conventions to prevent things like this from happening again.

If you stop shipping autotools generated artefacts in your tarballs, things will be a lot simpler.

Weirdly enough the malicious code does look eerily similar to the benign code, because both are unnecessarily obfuscated.

This is not a human written or readable file you’re talking about. It’s a generated script.