Russ Allbery wrote:
[...]
There is extensive ongoing discussion of this on debian-devel. There's no
real consensus in that discussion, but I think one useful principle that's
emerged that doesn't disrupt the world *too* much is that the release
tarball should differ from the Git tag only in the form of added files.
From what I understand, the xz backdoor would have passed this check.
The backdoor dropper was hidden in test data files that /were/ in the
repository, and required code in the modified build-to-host.m4 to
activate it. The m4 files were not checked into the repository, instead
being added (presumably by running autogen.sh with a rigged local m4
file collection) while preparing the release.
Someone with a copy of a crocked release tarball should check if
configure even had the backdoor "as released" or if the attacker was
/depending/ on distributions to regenerate configure before packaging xz.
-- Jacob
