alt Hacker NewsThe xz example does not support your case. Not only was every downstream build infected until it was discovered, it also needed a distro-specific modification (to openssh in Debian and Fedora, IIRC) to work at all.
The xz example does not support your case. Not only was every downstream build infected until it was discovered, it also needed a distro-specific modification (to openssh in Debian and Fedora, IIRC) to work at all.
The xz backdoor relied on a discrepancy between the development repository and the released (source) artifact.
While skipping the released tarballs wouldn't have prevented the problem entirely, it would have made it much harder to hide.