> and it was caught luckily at the last minute

This isn't correct at all. The changes were merged into xz and made it into testing branches of major Linux distros.

It was caught at T plus a few minutes only because a neurotic Microsoft employee performing debugging noticed an obscure performance issue.

You can literally say Microsoft saved Linux that day. Imagine thinking this 25 years ago.

It's the difference between something really bad which happened, and something really, really, really, really bad: a malicious actor having RCE credentials to every new Debian and Red Hat box on planet Earth.

▲

ApolloFortyNine 2 hours ago | parent [-]

Redhat actually stumbled on the bug separately with valgrind errors triggering, so it's days were likely numbered regardless. Probably saved them a lot of debugging but the writing was on the wall.

▲

dralley an hour ago | parent | next [-]

Red Hat noticed that something was off, but there was a new version published by "Jia Tan" that fixed the warnings and the performance issue, so it's not really clear that the original version would have still gotten as deep of an investigation as would have been needed to find the issue.

It's possible though. The noise around it did at least put Freund on alert and we should be very glad both that "Jia Tan" made the mistakes they made originally and that Freund followed up on their gut feeling

	▲	amiga386 an hour ago \| parent [-]
		> Red Hat noticed that something was off, but there was a new version published by "Jia Tan" that fixed the warnings and the performance issue Video of Jia Tan fixing the valgrind bugs: https://www.youtube.com/watch?v=A16YuzuKN58&t=138s

▲

tokyobreakfast 2 hours ago | parent | prev [-]

A lot of people fail to fully grasp how bad this could have been on the off chance the authors were slightly less sloppy.