The xz package has been backdoored

[Hu]

The proposed "easy way" is a specific case of the idea that each stage of the build should have access only to data it reasonably needs for proper operation, and nothing more. "Easy ways" that may or may not be so easy:

• Run the build without network access, so no blobs can be downloaded. For many years, this was easily supported. Then Go and Rust made it standard to download blobs from the Internet during the compile phase, and now distributions need to go through extra effort to get those packages to work properly.
• Run the build with only the files needed by that stage of the build. Delete all "unneeded" files before starting each stage. This has the drawback that someone needs to maintain a list of what is needed, and while upstream could propose an initial value for this list, if we assume a hostile developer upstream, then the list of required files itself becomes a target, and distributors would need to audit that the list is safe and minimal.
• Insist that the build script be "obvious" to qualified maintainers. A downstream distributor should be able to review the build and determine that even if binary blobs are present, they are obviously not used. If the distributor cannot confidently state that to be true (and many autotools-based systems will fail this test, just because autotools is so complex), then the build system is presumed to be too complex and presumed to be hiding something. This bullet point has the drawback that it will likely have a high false positive rate, flagging build systems that are not hiding anything malicious, but are just messy or complicated because no one can or will clean them up.

[Taigo]