If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?

Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.

[–] tomalley8342@lemmy.world 23 points 10 months ago (1 children)

The compile process was modified to decrypt and unpack the "corrupted" test zip file, which was actually a code patch, and apply said code patch before assembly of the final binaries.

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 10 months ago

hmm ok. Yeah idk, even from an organization aspect, i still wouldn't consider that to be ok. Test files that patch code on the fly is a recipe for a nightmare of maintenance. Which i suppose is the idea here considering that it's malicious code lol.

[–] ReversalHatchery@beehaw.org 20 points 10 months ago (1 children)

They were not shipped to the client. They were shipped to the build system, executed there after deobfuscation, and they inserted an additional, opaque program file into the build process.

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 10 months ago

that much i picked up on, though i didn't make it very clear. I did mention that alternative though.

[–] Fave@lemmy.world 17 points 10 months ago* (last edited 10 months ago) (1 children)

It is way more complicated than that. Very good explanation, I could never do it justice.

Edit: I found an even better one https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 10 months ago

i know it's rather involved, i've been tailing it from the sidelines, though like i said, i am not a developer, so in terms of code and maintaining code im blind there. But everything else i understand.

It's definitely an interesting situation to observe.