> “It appears that a build/test system was compromised some time last year and the exploited added to code in the directory from which packages are built (and file timestamps modified to make this change not show up in a git diff),” Cameron said in an email.
How, exactly, does that happen?
Does git look at timestamps first and, assuming they aren't different, not hash the file contents to compare the SHA1? This [0] git FAQ makes me think the answer is "no".
Another FAQ:
> git diff and other Git operations is optimized so it does not even look at files whose status (size, modification time etc) on disk and in Git's index are different. [...] If the file has been touched somehow, git diff has to look at the content of and compare it which is a much slower operation even when there is in fact no change.
I suspect that in addition to modifying the timestamp, the attacker also had to ensure the filesizes were the same by possibly removing whitespaces or refactoring other code.
Make sure to put any of your own personal web services behind some dumb authentication system to avoid most of these things biting you before you hear about them.
I use nginx + basic http auth, since I'm using it for https anyway.
I understand that, but they also seem to know a lot about what happened with respect to when things were checked in and with a little forensics perhaps they can figure out who it was. A deleted hard drive hasn't stopped people before and they shouldn't just give up that easily.
[1] - https://www.shodan.io/search?query=webmin