Candidly how would someone protect against a vulnerability like this?

devttyeu · 2024-03-30T01:37:48 1711762668

Build from source AND run an Ai agent that reviews every single line of code you compile (while hoping that the any potential exploit doesn’t also fool / exploit your AI agent)

anononaut · 2024-03-29T21:36:55 1711748215

Compile all your packages from source would be a start.

Hackbraten · 2024-03-30T00:53:11 1711759991

You’re not wrong. However, building from source wouldn’t have protected you against this specific backdoor. The upstream source tarball itself was compromised in a cleverly sneaky way.

ui2RjUen875bfFA · 2024-03-30T01:16:09 1711761369

You might read https://www.openwall.com/lists/oss-security/2024/03/29/4

"However, building from source wouldn’t have protected you against this specific backdoor." Depends on how exactly you build from source. A generic build was not the target. Andres Freund showed that the attack was targeted against a specific type of build system.

zamalek · 2024-03-30T12:04:19 1711800259

Building from git, or the github automatic tarball would have. The larger issue here is authenticating tarballs against the source.

account42 · 2024-04-05T07:55:03 1712303703

There is no reason to believe the exploit would have been spotted earlier had the attacker included the final part in git.