On Sat, Mar 30, 2024 at 08:22:06PM +0900, Dominique Martinet wrote: > > the initial injection (original: > > https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD). > > (Honestly I did compare the backdoored script and the real one this > morning and I would be hard pressed to say if either is backdoored just > looking at either version... Admitedly it was 3AM when I looked at it, > but I don't think it's just a late hour problem) Right! Definitely not a 3am problem :-/ > > (3) We should have a "security path", like "critical path". ... > Before making each of these safer we should make sshd not link with so > many things in the first place. > On oss-security, Solar Designer made a lot of good points about it > (around here: https://www.openwall.com/lists/oss-security/2024/03/29/27 > , but the full thread is interesting) Agreed. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
