Hi,
Nicholas Geovanis wrote:
But what if next time the back-doored software _does_ build without error?
The initial build problems did not cause suspicion.
It was the CPU load of sshd and an obscure complaint by valgrind which
caused the discovery.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
quotes the discoverer Andres Freund:
"I was doing some micro-benchmarking at the time, needed to quiesce
the system to reduce noise. Saw sshd processes were using a surprising
amount of CPU, despite immediately failing because of wrong usernames
etc. Profiled sshd, showing lots of cpu time in liblzma, with perf
unable to attribute it to a symbol. Got suspicious. Recalled that I had
seen an odd valgrind complaint in automated testing of postgres, a few
weeks earlier, after package updates.
Really required a lot of coincidences."
gene heskett wrote:
In light of that its worth noting that an M$ employee was the first to
spot it.
Indeed.
Thus we should also praise the peace between Microsoft and free software
which broke out a few years ago.
There remains the question, whom a good citizen should contact when
spotting something that could be a backdoor (or a subtenant ?) of
Debian's content or infrastructure.
It seems unwise for a non-expert to do this in public, unless one wants
to accuse the innocent or to warn the hoodlums.