> [...] >> I agree that distcheck is good but not a cure all. Any static >> system can be attacked when there is motive, and unit tests are >> easily gamed. > > The issue seems to be releases containing binary data for unit tests, > instead of source or scripts to generate that data. In this case, > that binary data was used to smuggle in heavily obfuscated object > code.
As a side note, GNU poke (https://jemarch.net/poke) is good for generating arbitrarily complex binary data from clear textual descriptions.
