Conversation

Notices

1. Embed this notice
   Hans-Christoph Steiner (eighthave@social.librem.one)'s status on Monday, 01-Apr-2024 18:13:11 JST Hans-Christoph Steiner

   Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

   https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889

   • gidi, Fish of Rage and Jeff "never puts away anything, especially oven mitts" Cliff, Bringer of Nightmares 🏴‍☠️🦝🐙 🇱🇧🧯 🇨🇦🐧 like this.
   • Embed this notice
     Râu Cao ⚡ (raucao@kosmos.social)'s status on Tuesday, 17-Dec-2024 10:24:26 JST Râu Cao ⚡

     in reply to

     @eighthave Yeah, comments pushing for quick merges instead of adding actual code reviews, or for handing over maintainership altogether, should immediately raise some flags in maintainers' minds. Personally, I found that further probing and asking for actual contributions were good strategies to evaluate intentions.

     Jeff "never puts away anything, especially oven mitts" Cliff, Bringer of Nightmares 🏴‍☠️🦝🐙 🇱🇧🧯 🇨🇦🐧 likes this.