Many discussions about open source dependencies and maintenance happened in the last month.Two posts caught my eye in the Rust ecosystem: Sudo-rs dependencie...
I’m not saying incomprehensible build scripts are good here, my mistake for making it seem that way. I’m not confident that hiding it elsewhere would have been strictly more obvious but it absolutely could have been.
I’ve done some pretty complex C projects and haven’t had build scripts nearly that large. This one seems particularly unwieldy and certainly helped the attacker.
I have to disagree here. Maybe they would have found another way, but it would have been a more obvious way, which is a very good thing.
Yes it would have still been compromised but it may have been detected earlier. So it’s still pretty bad to have these incomprehensible build scripts.
I’m not saying incomprehensible build scripts are good here, my mistake for making it seem that way. I’m not confident that hiding it elsewhere would have been strictly more obvious but it absolutely could have been.
I’ve done some pretty complex C projects and haven’t had build scripts nearly that large. This one seems particularly unwieldy and certainly helped the attacker.