this post was submitted on 31 Mar 2024
546 points (97.4% liked)

Open Source

31088 readers
657 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
546
“the lesson I'm choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons” (crabby.fyi)
submitted 7 months ago by [email protected] to c/[email protected]
44 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 7 months ago (2 children)

as a non developer myself, to my understanding, the vulnerabilities were implemented in test binaries?

If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?

Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.

[–] tomalley8342 23 points 7 months ago (1 children)

The compile process was modified to decrypt and unpack the "corrupted" test zip file, which was actually a code patch, and apply said code patch before assembly of the final binaries.

[–] [email protected] 1 points 7 months ago

hmm ok. Yeah idk, even from an organization aspect, i still wouldn't consider that to be ok. Test files that patch code on the fly is a recipe for a nightmare of maintenance. Which i suppose is the idea here considering that it's malicious code lol.

[–] Fave 17 points 7 months ago* (last edited 7 months ago) (1 children)

It is way more complicated than that. Very good explanation, I could never do it justice.

Edit: I found an even better one https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

[–] [email protected] 1 points 7 months ago

i know it's rather involved, i've been tailing it from the sidelines, though like i said, i am not a developer, so in terms of code and maintaining code im blind there. But everything else i understand.

It's definitely an interesting situation to observe.