silly premise

Posted Sep 2, 2025 16:02 UTC (Tue) by jafd (subscriber, #129642)
In reply to: silly premise by HenrikH
Parent article: The hidden vulnerabilities of open source (FastCode)

> Also the XZ attack was by giving the attacker maintainer rights to the repository, not that any of the submitted code passed/didn't pass any code verification.

Note that in the specific XZ case, the bit where it all went downhill, was not in the repository access itself, but in the ability to roll out releases and having things in the tarball that have never even been in the git repository — those who built from git didn't contract the vulnerability. One way it could be interpreted is that the commit history makes nefarious things way shallower than delving into release tarballs which usually also contain generated code.

silly premise

Posted Sep 10, 2025 16:33 UTC (Wed) by zwol (guest, #126152) [Link]

It's true that a key piece of the XZ attack payload was only in distribution tarballs, but most of it was checked in, concealed as test data. Given the same social conditions -- an overworked lone maintainer delighted to have help from anyone -- I can easily imagine the same kind of attack being just as successful (or more!) with all of it checked in.