most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"
like every detail. the fact that the trigger is an M4 macro. nobody's going to read those, and nobody's going to diff the output of autotools between a tarball and a source control repo because those traditionally don't even match to begin with
@iliana I remember when the thing to do was handwringing over curl | sh install scripts and thinking that hiding evil shit in ./configure would be just as easy so I'm feeling smug right now
@hierarchon @iliana Thought in a similar vein: it makes no sense to get all suspicious about post-install scripts in a package manager; the purpose of the package manager is literally *to install software. That will run on the system.*
The malicious code could be anywhere, whether you allow post-install scripts or not really isn't going to matter...
@hierarchon @iliana Oh yeah, I don't doubt that there are edgecases where this *would* have helped. There are some of those for most things.
What bothers me more is the outsized importance that people tend to place on it - for a while, everybody and their dog was talking loudly about how post-install scripts should be disallowed, as if that will solve all the dependency security issues overnight...
