I'm not familiar with how distros get the source code for upstream dependencies. I'm trying to understand what Andres meant when he said this:
> One portion of the backdoor is solely in the distributed tarballs
Is it that the tarball created and signed by Jia had the backdoor, but this backdoor wasn't present in the repo on github? And the Debian (or any distro) maintainers use the source code from tarball without comparing against what is in the public github repo? And how does that tarball get to Debian?
The threat actor had signed and uploaded the compromised source tarball to GitHub as a release artifact.
They then applied for an NMU (non-maintainer upload) with Debian, which got accepted, and that's how the tarball ended up on Debian's infrastructure.
Thanks for the extra explanation. I guess this is harder to protect against than I thought and it's more that some distro's got somewhat lucky than debian and fedora doing something that is out of the ordinary.
> One portion of the backdoor is solely in the distributed tarballs
Is it that the tarball created and signed by Jia had the backdoor, but this backdoor wasn't present in the repo on github? And the Debian (or any distro) maintainers use the source code from tarball without comparing against what is in the public github repo? And how does that tarball get to Debian?