On 2024-04-03, Emmanuel Lécharny wrote: > On 02/04/2024 21:57, Nick Wellnhofer wrote: >> Binary test data can also be generated with a script or a more sophisticated >> test suite which might even be more maintainable in the long run.
>> On the other hand, tests are the prime target to hide malicious code >> and there are many ways to hide data even in innocuous-looking text >> files. > We don't provide binaries, we provide source code. For the projects > providing executables, I expect they don't include tests and the > associated bionary files in their packages... In the case of XZ utils it is the source tarball that spreads the malicious code. The code sits inside test binaries and makes its way into the liblzma binary built from the source tarball via a patched build script - which is different from the one in git and thus hopefully would have been detected by our release vetting processes. So "we only ship sources" on its own is not enough. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
