silly premise

Posted Sep 10, 2025 16:33 UTC (Wed) by zwol (guest, #126152)
In reply to: silly premise by jafd
Parent article: The hidden vulnerabilities of open source (FastCode)

It's true that a key piece of the XZ attack payload was only in distribution tarballs, but most of it was checked in, concealed as test data. Given the same social conditions -- an overworked lone maintainer delighted to have help from anyone -- I can easily imagine the same kind of attack being just as successful (or more!) with all of it checked in.