8 votes

xz/liblzma: Bash-stage obfuscation explained

2 comments

  1. tauon
    Link
    After the xz fiasco especially, I think less familiar and “config” style language, ahem, … dumps? should be avoided as best as possible in major projects. How many programmers know Bash well? How...

    After the xz fiasco especially, I think less familiar and “config” style language, ahem, … dumps? should be avoided as best as possible in major projects. How many programmers know Bash well? How many can read a complex Makefile and determine that actually, this will load malware!, and so on?

    I don’t know what the alternatives are, though. Declare everything in higher-level languages? Write your own compilation steps in a script-style short program (that’s not in a shell language, e.g. conf.py) and keep the actual config strictly “un-executable” (json, toml, yaml, …)? I am not at all an expert here; and complex build steps without make are probably also too much of a pain, especially in an already-established system.

    4 votes