A backdoor in xz

Posted Mar 30, 2024 1:29 UTC (Sat) by bluca (subscriber, #118303)
In reply to: A backdoor in xz by jengelh
Parent article: A backdoor in xz

Of course by itself it doesn't prove that the software is not malicious, how could it? That's not the point, the point is increasing auditability. A commit in a repository is eminently auditable, while random stuff getting injected from a developer's machine in a tarball after the fact, before publishing, is not.

A backdoor in xz

Posted Apr 3, 2024 7:21 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (1 responses)

Well a commit that generates a configure script is very unlikely to get seriously reviewed

A backdoor in xz

Posted Apr 5, 2024 13:20 UTC (Fri) by rav (guest, #89256) [Link]

My approach to reviewing commits with autogenerated code (in the context of approving a pull request) is to autogenerate the code myself and see if I get the same result. If there are differences between the submitted code and what I could autogenerate myself, then that's probably the interesting stuff to look at. If I don't know how to autogenerate it myself, I ask the author to provide the instructions in the commit message or in a source code comment. Having autogenerated code in a source code repository is not nice, but if it's necessary, then the code review process needs to adapt to it.