But this is the crucial thing. It wasn’t in the repository. It was in the tarball. It’s a very careful distinction because, people generally reviewed the repository and made the assumption that what’s there, is all that matters.
The changes to the make process only being present in the tarball was actually quite an ingenius move. Because they knew that the process many distro maintainers use is to pull the tarball and work from that (likely with some automated scripting to make the package for their distro).
This particular path will probably be harder to reproduce in the future. Larger projects I would expect have some verification process in place to ensure they match (and the backup of people independently doing the same).
But it’s not to say there won’t in the future be some other method of attack the happens out of sight of the main repository and is missed by the existing processes.
But this is the crucial thing. It wasn’t in the repository. It was in the tarball. It’s a very careful distinction because, people generally reviewed the repository and made the assumption that what’s there, is all that matters.
The changes to the make process only being present in the tarball was actually quite an ingenius move. Because they knew that the process many distro maintainers use is to pull the tarball and work from that (likely with some automated scripting to make the package for their distro).
This particular path will probably be harder to reproduce in the future. Larger projects I would expect have some verification process in place to ensure they match (and the backup of people independently doing the same).
But it’s not to say there won’t in the future be some other method of attack the happens out of sight of the main repository and is missed by the existing processes.
Absolutely understand the point. They had a good idea. They failed. Done. my point stands. Foss is superior.