Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://social.librem.one/users/eighthave/statuses/112194828562355097">Hans-Christoph Steiner (eighthave@social.librem.one)'s status on Monday, 01-Apr-2024 18:13:11 JST</a><a href="https://social.librem.one/@eighthave" title="eighthave@social.librem.one"><img src="https://gnusocial.jp/avatar/139590-48-20230624110310.webp" width="48" height="48" alt="Hans-Christoph Steiner" style="position: absolute; left: 0; top: 0;">Hans-Christoph Steiner</a></section><article><p>Three years ago, <a href="https://social.librem.one/tags/FDroid" rel="tag">#FDroid</a> had a similar kind of attempt as the <a href="https://social.librem.one/tags/xz" rel="tag">#xz</a> <a href="https://social.librem.one/tags/backdoor" rel="tag">#backdoor</a>.  A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on.  There was also pressure from other random accounts to merge it.  In the end, it became clear that it added a <a href="https://social.librem.one/tags/SQLinjection" rel="tag">#SQLinjection</a> <a href="https://social.librem.one/tags/vuln" rel="tag">#vuln</a>.  In this case, we managed to catch it before it was merged.  Since similar tactics were used, I think its relevant now </p><p><a href="https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889" rel="nofollow noreferrer">https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2888094#notice-5739028">In conversation</a><time datetime="2024-04-01T18:13:11+09:00" title="Monday, 01-Apr-2024 18:13:11 JST">about a year ago</time> <span>from <span><a href="https://social.librem.one/@eighthave/112194828562355097" rel="external" title="Sent from social.librem.one via ActivityPub">social.librem.one</a></span></span><a href="https://social.librem.one/@eighthave/112194828562355097">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: gitlab.com</div><h5><a href="https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889">Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab</a></h5><div></div></header><div>The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Hans-Christoph Steiner (eighthave@social.librem.one)'s status on Monday, 01-Apr-2024 18:13:11 JST Hans-Christoph Steiner
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889
In conversationabout a year ago from social.librem.onepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: gitlab.com
  Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab
  The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...

Public

Embed Notice

HTML Code

Corresponding Notice