Concretely, what security issues are solved by forcing the build specification language to be Turing incomplete? My guess is the answer is "none."
At worst, you're actually creating more holes. The reason autoconf/automake exist and M4 scripts are innocuous in the first place is because the build system uses an underpowered language and developers have to turn to code generation to get around it.
If you kneecap the build system's language you're not solving problems. You're creating them.
> it would have required the actor to come up with another vector of code injection which would have been easier to find.
If make was standardized and could programmatically determine the environment its run under and write full programs then the attack vector wouldn't exist in the first place.
> Codebases that bootstrap are the 0.1%.
We have different experiences, because ime it's close to 100% especially when you include transitive dependencies. When you care about supply chain security you care about being able to bootstrap from sources for your code and all your dependencies, and it's almost guaranteed that one of your dependencies needs to be bootstrapped.
At worst, you're actually creating more holes. The reason autoconf/automake exist and M4 scripts are innocuous in the first place is because the build system uses an underpowered language and developers have to turn to code generation to get around it.
If you kneecap the build system's language you're not solving problems. You're creating them.
> it would have required the actor to come up with another vector of code injection which would have been easier to find.
If make was standardized and could programmatically determine the environment its run under and write full programs then the attack vector wouldn't exist in the first place.
> Codebases that bootstrap are the 0.1%.
We have different experiences, because ime it's close to 100% especially when you include transitive dependencies. When you care about supply chain security you care about being able to bootstrap from sources for your code and all your dependencies, and it's almost guaranteed that one of your dependencies needs to be bootstrapped.