Honestly, if the makefile is well written, I will take that any day. Good makefiles are 😙👌.
They are extremely rare, tho…
I guess the solution would be a declarative language that compiles to makefiles. So that people don’t have to know the nitty gritty of writing good makefiles, and can just maintain a file of their dependencies and settings…
I’ve always conjectured that good Makefiles existed but never seen one (or only for tiny projects). The core semantic of Makefiles is clear and straight to the point, I think the issue is in all the magic that was added to that to spare a few lines.
The makefile were never supposed to do more than determine which build tools to call (and how) for a given target. Meaning that in very many cases, makefile are abused to do way too much. I’d argue that you should try to keep your make targets only one line long. Anything bigger and you’re likely doing it wrong (and ought to move it in a shell script, that gets called from the makefile).
It is really challenging to write portable makefiles. There’s BSD make and GNU make, and then there are different tools on different systems. Different dependencies. Different libs. Etc. Not easy.
Why compile to a Makefile? You’d end up with automake gunk all over again. Just use cmake or so, where the declarative language replaces the Makefile entirely
cmake compiles to makefiles as well (it just also supports some other backends). I’m not sure why that matters though. In both cases the makefile is generated.
Not that I’m the biggest fan of CMake’s syntax, but they are fairly concise and standardised. The XZ backdoor hid in amongst thousands of lines of autotools jank that very few people would be able to audit. A short CMakeList that generates a Makefile is a much harder place to hide something nefarious.
There’s actually not that much autotools jank, really. There’s configure.ac and a few Makefile.am. The CMakeLists.txt in the root is bigger than any of those files.
There’s also some stuff from autotools archive in m4/. IMO that’s a bad practice and we should instead be referencing them as a build dependencies.
I’m not convinced this backdoor would have been significantly more difficult to hide in the cmake code.
My point was that packagers should use straight up VCS and run all build tools instead of relying on partially pre-built tarballs uploaded by the upstream maintainers.
Oh yes!
Oh no!
Honestly, if the makefile is well written, I will take that any day. Good makefiles are 😙👌.
They are extremely rare, tho…
I guess the solution would be a declarative language that compiles to makefiles. So that people don’t have to know the nitty gritty of writing good makefiles, and can just maintain a file of their dependencies and settings…
I’ve always conjectured that good Makefiles existed but never seen one (or only for tiny projects). The core semantic of Makefiles is clear and straight to the point, I think the issue is in all the magic that was added to that to spare a few lines.
IMHO the issue is two folds:
Why compile to a Makefile? You’d end up with automake gunk all over again. Just use cmake or so, where the declarative language replaces the Makefile entirely
cmake compiles to makefiles as well (it just also supports some other backends). I’m not sure why that matters though. In both cases the makefile is generated.
Not that I’m the biggest fan of CMake’s syntax, but they are fairly concise and standardised. The XZ backdoor hid in amongst thousands of lines of autotools jank that very few people would be able to audit. A short CMakeList that generates a Makefile is a much harder place to hide something nefarious.
There’s actually not that much autotools jank, really. There’s configure.ac and a few Makefile.am. The CMakeLists.txt in the root is bigger than any of those files.
There’s also some stuff from autotools archive in m4/. IMO that’s a bad practice and we should instead be referencing them as a build dependencies.
I’m not convinced this backdoor would have been significantly more difficult to hide in the cmake code.
My point was that packagers should use straight up VCS and run all build tools instead of relying on partially pre-built tarballs uploaded by the upstream maintainers.
It does? I guess I never looked inside that build directory.
I prefer
justfile
s these days.