Possibly linuxXZ backdoor in a nutshell
refreezeI have been reading about this since the news broke and still can’t fully wrap my head around how it works. What an impressive level of sophistication.
rockSlayerAnd due to open source, it was still caught within a month. Nothing could ever convince me more than that how secure FOSS can be.
LungIdk if that’s the right takeaway, more like ‘oh shit there’s probably many of these long con contributors out there, and we just happened to catch this one because it was a little sloppy due to the 0.5s thing’
This shit got merged. Binary blobs and hex digit replacements. Into low level code that many things use. Just imagine how often there’s no oversight at all
Yes, and the moment this broke other project maintainers are working on finding exploits now. They read the same news we do and have those same concerns.
Very generous to imagine that maintainers have so much time on their hands
Bug fixes can be delayed for a security sweep. One of the quicker ways that come to mind is checking the hash between built from source and the tarball
The whole point here is that the build process was infiltrated - so you’d have to remake the build system yourself to compare, and that’s not a task that can be automated