• rockSlayer@lemmy.world
    link
    fedilink
    arrow-up
    50
    ·
    8 months ago

    Yes, and the moment this broke other project maintainers are working on finding exploits now. They read the same news we do and have those same concerns.

      • rockSlayer@lemmy.world
        link
        fedilink
        arrow-up
        11
        ·
        edit-2
        8 months ago

        Bug fixes can be delayed for a security sweep. One of the quicker ways that come to mind is checking the hash between built from source and the tarball

        • Lung@lemmy.world
          link
          fedilink
          arrow-up
          14
          ·
          8 months ago

          The whole point here is that the build process was infiltrated - so you’d have to remake the build system yourself to compare, and that’s not a task that can be automated

    • Corngood@lemmy.ml
      link
      fedilink
      arrow-up
      19
      ·
      8 months ago

      I wonder if anyone is doing large scale searches for source releases that differ in meaningful ways from their corresponding public repos.

      It’s probably tough due to autotools and that sort of thing.