Hacker News new | ask | show | jobs
by TheDong 401 days ago
Verify how?

Go look at the "build log" in your compromised jenkins server and download the (already compromised) build artifact and make sure it matches the mega.co.nz file?

Do you expect the average software engineer to be able to look at a .exe, pull up a disassembler, and know that all the assembly maps back to the source code?
3 comments
hnlmorg 400 days ago
The person who originally reported it was not super technical so if your software engineer can’t reproduce the customers steps to see the same error then you probably need better software engineers.
link
duskwuff 400 days ago
You say "Jenkins server" as if there's a CI setup involved.

I wouldn't be surprised if, in many cases, these companies just have whoever touched the code last run a build on their computer and ship that. (Which probably explains how some of the malware got there.)

link
lores 401 days ago
It's not hard to replicate downloading a zip archive from the official location and find someone knowledgeable to look at it if you aren't yourself. A non-software-engineer did just that.
link