Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)

[Ekaitz Zarraga]

Hi,

> > and everybody is reading.
>
> This is a steep claim! I agree that nobody reads generated files in
> a release tarball, but I am not sure how many other files are actually
> read.

Yea, it is. I'd also love to know how effective is the reading in a 
release tarball vs a VCS repo. Quality of the reading is also very 
important. I simply don't even try to read a tarball, not having the 
history makes the understanding very difficult. If I find a piece of 
code that seems odd, I would like to `git blame` it and see what was the 
reason for the inclusion, who included it and so on.

It's not much, but it's better than nothing. Although, I'd understand if 
you told me the history might be misleading, too.