← Back to context

Comment by embedding-shape

3 months ago

> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.

Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?

I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???

2 comments

embedding-shape

Reply
arccy  3 months ago

the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.

  • red-iron-pine  3 months ago

    is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.

    maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...