> The compromised version of Xcode was hosted on Baidu Pan. It is unlikely that Baidu was aware of the compromised version of Xcode.
I'm sorry, but at this point I no longer think "it is unlikely" Baidu was unaware. I find it too coincidental based on the simple fact that they were also involved with the DDoS attack on GitHub earlier this year.
"Baidu Yun" is an online file locker (like Dropbox) with a generous free quota. You can create a shareable link for a file with a single click. Why would you think someone at Baidu would have knowledge of a particular file a user shared on that service?
Separately, you bring up Baidu's "involvement" in the DDoS attack on GitHub. I remember reading that this was achieved using a man-in-the-middle attack on customers of Baidu's analytics product, which would not need Baidu's cooperation: http://www.netresec.com/?page=Blog&month=2015-03&post=China%...
The source is also hosted on GitHub, so GitHub must be involved in this? Funny logic, I bet you have never used Baidu Pan, and has no idea how it is used by millions of Chinese people everyday.
I'm sorry, but at this point I no longer think "it is unlikely" Baidu was unaware. I find it too coincidental based on the simple fact that they were also involved with the DDoS attack on GitHub earlier this year.