On 03/04/2024 2:11 am, Daniel Golle wrote:
... and that crazy m4 script had to be noticed. As a diff one would ask:
Why was that change necessary?

While I agree with most of your points, I couldn't disagree more with the "had to be noticed" part :P

I occasionally skim over treewide diffs. When I do, and there're like (exaggerating to illustrate my point) tens of thousand of lines of autohell crap in there, I skip that eye cancer part for sanity reasons.

So in that regard, the buildsystem part of this backdoor was a smart choice. The chances of anybody looking closely at that is tiny. You would need to another reason to get that masochistic. And that is what happened here: the bad actor dared to slow down postgresql.

This disaster exposes multiple problems. In my mind, autotools is one of them. But this isn't supposed to be yet another X or Y is better than autotools argument, my point is that the sheer amount of bundled build system code enlarges the attack surface by a significant degree. The chances of spotting the equivalent in e.g. a meson.build or CMakeLists.txt file are way higher.

Cheers,
Andre

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to