• @rockSlayer@lemmy.world
    link
    fedilink
    84
    edit-2
    8 months ago

    And due to open source, it was still caught within a month. Nothing could ever convince me more than that how secure FOSS can be.

    • Lung
      link
      fedilink
      958 months ago

      Idk if that’s the right takeaway, more like ‘oh shit there’s probably many of these long con contributors out there, and we just happened to catch this one because it was a little sloppy due to the 0.5s thing’

      This shit got merged. Binary blobs and hex digit replacements. Into low level code that many things use. Just imagine how often there’s no oversight at all

      • @rockSlayer@lemmy.world
        link
        fedilink
        508 months ago

        Yes, and the moment this broke other project maintainers are working on finding exploits now. They read the same news we do and have those same concerns.

        • Lung
          link
          fedilink
          228 months ago

          Very generous to imagine that maintainers have so much time on their hands

          • @rockSlayer@lemmy.world
            link
            fedilink
            11
            edit-2
            8 months ago

            Bug fixes can be delayed for a security sweep. One of the quicker ways that come to mind is checking the hash between built from source and the tarball

            • Lung
              link
              fedilink
              148 months ago

              The whole point here is that the build process was infiltrated - so you’d have to remake the build system yourself to compare, and that’s not a task that can be automated

        • @Corngood@lemmy.ml
          link
          fedilink
          198 months ago

          I wonder if anyone is doing large scale searches for source releases that differ in meaningful ways from their corresponding public repos.

          It’s probably tough due to autotools and that sort of thing.

      • The Quuuuuill
        link
        fedilink
        English
        288 months ago

        I was literally compiling this library a few nights ago and didn’t catch shit. We caught this one but I’m sure there’s a bunch of “bugs” we’ve squashes over the years long after they were introduced that were working just as intended like this one.

        The real scary thing to me is the notion this was state sponsored and how many things like this might be hanging out in proprietary software for years on end.

    • slazer2au
      link
      fedilink
      English
      88 months ago

      Yea, but then heartbleed was a thing for how long that no-one noticed?

      The value of foss is so many people with a wide skill set can look at the same problematic code and dissect it.