alt Hacker NewsWell, technically the reason for the fork was the implanted backdoor that was executing a binary coming from Muse groups server, hidden as telemetry and an update check. It's not a well built backdoor and the code is easy to spot, as there's not a lot of other http related code in audacity itself.
edit: Check the au3/src/update/UpdateManager.cpp, they're still not hiding this better after all that happened, lol.
[1] https://github.com/audacity/audacity/blob/8d6e45a9756e700b7f...
Replies
I mean, you already are "executing a binary coming from Muse groups server" if you downloaded Audacity from their website. How is an auto update mechanism a backdoor? You have to accept a modal for it to run the downloaded binary.
I guess it could be improved by using and verifying signatures, but it seems pretty on point for a standard windows software auto update feature
You are aware that VLC, LibreOffice and many other FOSS apps have an update checker?
To be fair, I'm not sure if that's really an accurate description of it.
Either way, just wanted to say hi! :D
Can you point out the specific issue here? At a glance it looks like a fairly normal self-update patching process