Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The actual inclusion code was never in the repo. The blobs were hidden as lzma test files.

So you review would need to guess from 2 new test files that those are, decompressed, a backdoor and could be injected which was never in the git history.

This was explicitly build to evade such reviews.



> The blobs were hidden as lzma test files.

OK, that is absolutely devious.


I suppose you think the maintainers shouldn’t have scrutinized those files? Please tell me it’s a joke.


The person who added the malicious blobs and signed the compromized archives was literally a maintainer of the project.


Ok, go ahead and scrutinize those files without looking at the injection code that was never in the repo? Can you find anything malicious? Probably not - it looks like random garbage which is what it was claimed to be.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: