• Aatube@kbin.melroy.org
      link
      fedilink
      arrow-up
      36
      arrow-down
      2
      ·
      edit-2
      7 months ago

      The tarballs are the official distributions of the source code. The maintainer had git remove the malicious entry point when pushing the newest versions of the source code while retaining it inside these distributions.

      All of this would be avoided if Debian downloaded from GitHub’s distributions of the source code, albeit unsigned.

      • Corngood@lemmy.ml
        link
        fedilink
        arrow-up
        21
        ·
        7 months ago

        All of this would be avoided if Debian downloaded from GitHub’s distributions of the source code, albeit unsigned.

        In that case they would have just put it in the repo, and I’m not convinced anyone would have caught it. They may have obfuscated it slightly more.

        It’s totally reasonable to trust a tarball signed by the maintainer, but there probably needs to be more scrutiny when a package changes hands like this one did.