[wolverine876]

> But open sourceness in no way contributed to this being found, it was not in the source code.

Where was it? The explanation I saw included obsfucated code. ?

[jdsalaro]

Disregard the comment you're replying to, they're either misinformed or deliberately inaccurate in their assessment.

The backdoor consisted of a combination of publicly visible code and binary blob test files available in the project's repository as well as obfuscated build scripts which were contained only in the released tarballs, tucked away, which, nevertheless, were also publicly accessible, decompressable and auditable[1]

[1] https://gynvael.coldwind.pl/?lang=en&id=782

[konstantinua00]

it was hidden in tests, so it didn't appear if you press "download source" button and build yourself / start crawling through each line of code, iirc

in some sense, exact specifics of the attack were discovered because norm of open source is even more open than the gpl-and-co require

[wolverine876]

So discovering the exploit absolutely depended on FOSS. If the vulnerability was in a Oracle product, nobody outside Oracle would have access to their tests (and publishing the bug would be a legal issue).