Hi, Nicholas Geovanis wrote: > But what if next time the back-doored software _does_ build without error?
The initial build problems did not cause suspicion. It was the CPU load of sshd and an obscure complaint by valgrind which caused the discovery. https://boehs.org/node/everything-i-know-about-the-xz-backdoor quotes the discoverer Andres Freund: "I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates. Really required a lot of coincidences." gene heskett wrote: > In light of that its worth noting that an M$ employee was the first to > spot it. Indeed. Thus we should also praise the peace between Microsoft and free software which broke out a few years ago. There remains the question, whom a good citizen should contact when spotting something that could be a backdoor (or a subtenant ?) of Debian's content or infrastructure. It seems unwise for a non-expert to do this in public, unless one wants to accuse the innocent or to warn the hoodlums. Have a nice day :) Thomas
