[TZubiri]

But open sourceness in no way contributed to this being found, it was not in the source code.

If something like this happened in windows, it could be found in the same way, and the culprit could be identified and charged with crimes.

Just take the L for FOSS instead of trying a UNO reverse card

[wolverine876]

> But open sourceness in no way contributed to this being found, it was not in the source code.

Where was it? The explanation I saw included obsfucated code. ?

[jdsalaro]

Disregard the comment you're replying to, they're either misinformed or deliberately inaccurate in their assessment.

The backdoor consisted of a combination of publicly visible code and binary blob test files available in the project's repository as well as obfuscated build scripts which were contained only in the released tarballs, tucked away, which, nevertheless, were also publicly accessible, decompressable and auditable[1]

[1] https://gynvael.coldwind.pl/?lang=en&id=782

[konstantinua00]

it was hidden in tests, so it didn't appear if you press "download source" button and build yourself / start crawling through each line of code, iirc

in some sense, exact specifics of the attack were discovered because norm of open source is even more open than the gpl-and-co require

[wolverine876]

So discovering the exploit absolutely depended on FOSS. If the vulnerability was in a Oracle product, nobody outside Oracle would have access to their tests (and publishing the bug would be a legal issue).