|
From: | Ekaitz Zarraga |
Subject: | Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) |
Date: | Thu, 11 Apr 2024 16:05:43 +0200 |
Hi,
and everybody is reading.This is a steep claim! I agree that nobody reads generated files in a release tarball, but I am not sure how many other files are actually read.
Yea, it is. I'd also love to know how effective is the reading in a release tarball vs a VCS repo. Quality of the reading is also very important. I simply don't even try to read a tarball, not having the history makes the understanding very difficult. If I find a piece of code that seems odd, I would like to `git blame` it and see what was the reason for the inclusion, who included it and so on.
It's not much, but it's better than nothing. Although, I'd understand if you told me the history might be misleading, too.
[Prev in Thread] | Current Thread | [Next in Thread] |