• we_avoid_temptation@lemmy.zip
    link
    fedilink
    English
    arrow-up
    41
    arrow-down
    2
    ·
    edit-2
    8 months ago

    Why would they do this?

    Also, if you wanted to do this yourself, it is technically possible. Go build LFS and read every single LOC.

    • Successful_Try543@feddit.de
      link
      fedilink
      arrow-up
      55
      ·
      edit-2
      8 months ago

      The kernel alone has more than 30,000,000 LOC. Alone reading would take forever and a day for a single person, let alone understand it.

      • biribiri11@lemmy.ml
        link
        fedilink
        arrow-up
        47
        ·
        edit-2
        8 months ago

        That’s barely the tip of the iceberg, too. Currently, popular projects sit at:

        31M for KDE

        25M for GNOME

        41M for Chromium

        42M for Mozilla Firefox

        17M for LLVM

        15M for GCC

        (Note that this metric includes comments and blank lines, to which Linux would count at 46M lines. Counts with blank lines and comments removed are also in those links)

        Even if a package was completely vetted, line-by-line, before it made it into a repo, would the maintainer need to get every update, too? Every PR? Imagine the maintenance burden. This code QA and maintainer burden discussion was the crux of one of the most popular discussions on the Fedora devel list.

        • lily33@lemm.ee
          link
          fedilink
          arrow-up
          25
          ·
          8 months ago

          Finally, presumably if anyone added some malicious code in a their program, it would be sneaky and not obvious from quickly reading the code.

          • Norgur@kbin.social
            link
            fedilink
            arrow-up
            38
            ·
            8 months ago

            I’d expect them to properly comment it with “#-------Begin malicious shit--------”.
            COMMENT YOUR CODE, PEOPLE!

            • lily33@lemm.ee
              link
              fedilink
              arrow-up
              14
              ·
              edit-2
              8 months ago

              Oh, in that case we don’t need to read either - just run a simple grep!

              • Norgur@kbin.social
                link
                fedilink
                arrow-up
                11
                ·
                8 months ago

                Those malicious coders are too sly for that. Some write “Sh1t” to throw grep off, others even do a “B3g1n”… They are always one step ahead!

                • lily33@lemm.ee
                  link
                  fedilink
                  arrow-up
                  5
                  ·
                  8 months ago

                  Good point. I’d try to grep for something like [Bb3][Ee3]g[Ii1][nη]\w+<and so on> but I just know I’ll miss something

          • banazir@lemmy.ml
            link
            fedilink
            arrow-up
            12
            ·
            8 months ago

            Well yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.

            • Successful_Try543@feddit.de
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              8 months ago

              Wasn’t the problem that it the backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.

              • SuperIce@lemmy.world
                link
                fedilink
                English
                arrow-up
                6
                ·
                8 months ago

                A line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.

          • leopold@lemmy.kde.social
            link
            fedilink
            English
            arrow-up
            14
            ·
            edit-2
            8 months ago

            It’s even more bonkers than it sounds. If you look at the code locations for that KDE count, you’ll see it also includes just about every KDE project. That’s not just Plasma, that’s hundreds of projects, including some really big ones like Krita, Kdenlive, Calligra, LabPlot, Kontact, Digikam and Plasma Mobile. Hell, it even includes KHTML/KJS, KDE’s defunct web engine as well as the ancestor of WebKit and Blink. It even includes AngelFish and Falkon, KDE’s current web browser frontends.

            Same deal with GNOME. It includes just about everything on GNOME’s GitLab, even things that are merely hosted there without strictly being GNOME projects, like GIMP and GTK.

            And yet still they are both that far behind Chromium and Firefox. Modern web browsers are ludicrous.