On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of the source package
Why? It certainly makes your argument simpler if you arbitrarily restrict the problem set, but it isn't obvious that it makes sense. If I was going to backdoor something, I'd just make an innocent-looking coding error that would enable a successful exploit; I certainly wouldn't put in a commented section of code that says "backdoor here". With sufficient effort it wouldn't be hard to inject such a vulnerability that would go unnoticed for years--and I'm not sure why that's less of an issue than someone making a one-time build with a malicious patch that is not part of the source package.
Mike Stone