autotools can be used to hide malware

faradayio / geocode-csv

Geocode a CSV file using the SmartyStreets API

7 stars 3 forks source link

autotools can be used to hide malware #20

Closed kornelski closed 4 months ago

kornelski commented 5 months ago

CVE-2024-3094 has demonstrated that the obscure autotools language and the huge ugly configure scripts are good places for hiding malware.

autotools is not only slow, unmaintained, and difficult to use outside of unix-like platforms, but also a supply chain security liability for downstream users who are running arbitrary code in exotic format that few people understand.

libpostal-sys build runs 13818 lines of arbitrary executable code.

Please consider switching away from autotools.

emk commented 4 months ago

Thank you for the feedback. Unfortunately, we have no plans to overhaul and replace libpostal's build system. It's a large third party dependency, from a known source, and we probably update it once every 5 years or so. You might consider submitting the issue upstream, if they haven't already replaced it themselves.