The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.
The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.
I think that's a slight mischaracterization. It was present in the repo but obfuscated and rigged to only apply in release artifacts.
A sufficiently technical user could have found it but that bar was pretty high to clear.
I'm pretty sure that's incorrect. One portion of the build-to-host buildfile was only present in the release tarball.
https://www.openwall.com/lists/oss-security/2024/03/29/4
1 reply →