Hacker News new | ask | show | jobs
by Gibbon1 777 days ago
> But the fact that a merge can have arbitrary changes in it always bothers me!

After that xy thing where they were trying to install a back door having changes that are hidden like this is a big red flag.

In fact changing include <something.h> to include "something.h" with a hidden commit like this isn't a red flag it's a big rotating alarm with a siren. Someones trying set things up to include malicious code via a faked system lib.
1 comments
saagarjha 777 days ago
Sadly, not all of us can live in the tech equivalent of Bond films. There is only so many xz backdoors to go around.
link
hoseja 777 days ago
There could be thousands of similar manchurian developers right now and it wouldn't even be a significant effort.
link
saagarjha 777 days ago
Until they're activated how are you going to know?
link