[TacticalCoder]

Something that's puzzling in that XZ backdoor attempt is that the attacker had to hide the evil payload. And he hid it in test files and AIUI it was injected at build time through a modified build script and that went unnoticed (it's a compiled, deployed, version that got caught by someone and raised alarm bell).

Why are build scripts not operating in a clean directory, stripping away all test related files?

Isn't this something we should begin to consider doing, seen that it's all too easy to put arbitrary things in test files (you can just pretend stuff is "fuzzed" or "random" or "test vectors" and whatnots: there's always going to be room to hide mischief in test files)?

Like literally building, but only after having erased all test directories/files/data.

Or put it this way: how many backdoors are actually live but wouldn't be if every single build was only done after carefully deleting all the irrelevant files related to tests?