What about using sources from version control instead of from released tarballs?
@yossarian @robryk Agree, if attacker had been forced to commit the changes, would have been incrementally higher risk of discovery for them and better traceability for us after the fact, but definitely not a "solution" in any sense. They committed parts that went unnoticed, like https://mastodon.social/@WPalant@infosec.exchange/112184986611495654
Sure, it's not a general solution to the "malicious committer" problem, but it _is_ a solution to _this_ attack. (Obviously, if we were doing that, the attacker would choose a different attack, though potentially risking a larger chance of discovery.)
@robryk single source of releases is a good practice IMO, but isn’t a generalized solution here: the maintainer could just as well have pushed the autoconf changes to a tag on version control.