ihatelinux@sh.itjust.works to Linux@lemmy.ml · 2 months agoDoes any distro read through 100% of the source-code of a package before adding it to its repo?message-squaremessage-square58fedilinkarrow-up1123arrow-down19
arrow-up1114arrow-down1message-squareDoes any distro read through 100% of the source-code of a package before adding it to its repo?ihatelinux@sh.itjust.works to Linux@lemmy.ml · 2 months agomessage-square58fedilink
minus-squarebanazir@lemmy.mllinkfedilinkarrow-up12·2 months agoWell yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.
minus-squareSuccessful_Try543@feddit.delinkfedilinkarrow-up3·edit-22 months agoWasn’t the problem that it the backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.
minus-squareSuperIce@lemmy.worldlinkfedilinkEnglisharrow-up6·2 months agoA line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.
minus-squareSuccessful_Try543@feddit.delinkfedilinkarrow-up4·2 months agoOK. So simply reading what was readable wouldn’t have helped. Thanks.
Well yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.
Wasn’t the problem that
itthe backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.A line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.
OK. So simply reading what was readable wouldn’t have helped. Thanks.