One obvious thing in all this is complexity is the enemy of security.
People often talk about “secure vs insecure languages,” but I’m more concerned about insecure build systems. Antiquated build systems like Autotools and practices like generating source tarballs provide too many opportunities for things like this to hide. Contrast this to package systems that fetch sources directly from Git and languages have self-contained build systems – your exposure is much less. See:
We don’t need to generate source tarballs anymore – just clone directly from Git – as long as Git never gets hacked …
Should we still be implementing critical components like OpenSSH in C/C++? I switched from Apache/Nginx to Caddy a long time ago and never looked back. Perhaps an OpenSSH replacement written in Go will emerge. Perhaps we should be building our C/C++ code with Zig these days. There are better ways to do things today than using layer upon layer of build systems and tossing around tarballs.
This also brings up the question – should be rebuilding everything all the time? Are we better off using a trusted build of Go directly from go.dev rather than trusting Yocto to build it for me, or some other Linux distribution? The same with NPM, etc. But, there are concerns with centralization, so perhaps this is not the answer. Continuing to emphasize transparency and simplicity is probably the only realistic path. But one thing is certain, as systems get more complex, we must simplify the tools we use to build these systems.