daniel:// stenberg://I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
YouTube
Tobias Hellgren@bagder I'm confused to as why binary blobs are allowed to be stored in public source code repositories anyways.
I mean, I understand if you want to include assets for a game, but wouldn't it then be safer to store them in readable format before compression? As a simplified example, png's could be stored as xpm in source and then converted into the better format using provided tools, also in the repo.
Tldr being: If blobs are to be used in tests, write a tool that generates the blob for them.
@thanius convenience? lack of time? didn't think of the security implications?
Keeping everything readable all over takes effort. In the curl project the xz event kicked off a journey making sure we have less opaque data everywhere in git. It is work that is still ongoing!
@bagder Yeah, I understand it takes time to backtrack through an entire project or projects to make everything transparent for reviewers.
But after this debacle I hope that more developers look into dogfooding their binary storage in projects. I too am responsible for storing blobs, albeit in private repos, but I've since tried to implement build-time asset transformation instead even though it may bulk up the repos.