Bruce Schneier has posted a follow-up article which you all might find interesting.

4 members found this post helpful.

I tried that 'follow-up' article. I'm no coder, and I ended up about ½ way through the obfuscation guide coming up for air & feeling the urge for strong liquor. I'm not surprised it took that Jia Tan 2½ years to dream that up . And he probably had a department behind him.

Autotools is such a complex mishmash of m4, shell-script and makefiles that I'm not surprised its so easy to hide stuff in it. That's why I like the declarative nature of ninja: much harder to hide stuff.

Eh, the folks using ninja seem very prone to running git clone and wget to download 100s of things that are not documented at all. Sometimes you pull something down what you are told to run, and it's just a bunch of scripts that don't contain the actual source. I very much prefer autotools more than ever now because you can ship as a project a complete unit that can be studied in it's entirety; ready to run. The old ways seem to encourage things that are more auditable in this regard. If anything, the people using ninja create usually create even more layers where things can be hidden.

Possibly you can strip ninja down and use it a traditional way, but it is another dependency just to run a compile, when autotools, when used by the packager gives you shell code that doesn't need any more dependencies by the downstream user. But is autotools producing complex code? When used badly, yes. But the kind of code being injected by Jia should never been needed in reality in a production build system, and really should have never been accepted. But he could have just done the same in ninja, anyway. It's a developer cultural change is what we need. The hack he produced was done through social engineering.

2 members found this post helpful.

That, to my mind, is the important point. I'm sure a software guy working for a state or nation in the "Hacking" dept could have hacked any build system that was used. There's no point debating that.

To my mind, the Open Source Community has had it's hair parted by a dangerous missile that just missed by a whisker. If there was a Nobel Prize for Software, we should nominate Andres Freund, who got curious enough to discover it.

Businesses and Governments will not sit up and take notice unless they are informed. Where is the FSF, RMS, Linus, or whoever looks after that sort of thing?

We know where RMS and Linus are. They're in hiding from the politically correct wokerati who targetted both of them. Has everyone forgotten what happened? Hacking (in the good sense of the word) has always been meritocratic and that's incompatible with modern ideas of "diversity, equity and inclusion". So if you drive out the inspired hackers, you get nobbled by crackers.

6 members found this post helpful.

You reminded me of systemd, which intends to integrate the base system into a single process running at the highest privileged controlled by a single company (IBM) under the control of a single state -- No social engineering is needed.

3 members found this post helpful.

Just to be clear, I was talking about ninja itself, not the front-ends (such as meson/cmake) that people commonly use on top of it. My preference is for basic Makefiles (as long as they're kept readable and not overly-complicated) or raw build.ninja files. The advantage build.ninja files have over Make is that the limited functionality prevents the author getting carried away, something which happens all too often in makefiles.

1 members found this post helpful.

That's totally a social engineering / corporate influence thing. Just not a nefarious one. (one really would hope) The guy used corporate resources to implement his idea even when it took a longer time to adopt it into the internal products, and bullied small independent projects out of their position in the eco-system because they had no support. This is the kind of thing I am talking about. The team around Jia did the same thing, but instead of a company, people say it is a nation intelligence group. When you have a company like Red Hat paying you full time, you can blog about your project, get news writers talking about it, and the influence campaign seems have random people showing up in your community asking "when are you going to adopt X", and "get with the times", or "maybe we should have a leadership change" (this more so happened around Debian). It did not help either when said people went on further to say your linux system is going to break unless you maintain it yourself, and you aren't really going to do that all on your own, are ya?

I guess I think an example that is better to talk about than the often brought up one above, is the first Xbox. I met the guy who headed up Xbox, and that thing did not make a profit. It wasn't meant to make a profit then. They purposely discounted the system lower than their competitors when it first went to sale just to get people to buy the thing. Because Microsoft wasn't not in the games market. They had bought a studio for PC to make some PC games, but that's all. And had nothing at all in making a console. They spent money just to get influence into the market they wanted to capture. It took a long time, but now look at where they are? They pretty nearly have killed Sony at this point, and own a huge chunk of all the people making games for both PC and console! And guess who works there now? What do you think their next move will be? So any company with deep pockets can quickly influence a project or a market, whether it's MS or IBM, or a nation state. This is where we need a cultural change kind of back to where we were, otherwise we do have more problems coming.

5 members found this post helpful.