They also used social engineering to disable fuzzing which would have caught the discrepancy: https://github.com/google/oss-fuzz/pull/10667

It’s pretty funny how a bunch of people come piling reaction emojis onto the comments in the PR, after it has all become publicly known.

I’m like.. bro, adding reaction emojis after the fact as if that makes any sort of difference to anything.

That thread has become an online event and obviously lost its original constructive purpose the moment the malicious intent became public. The commenters are not trying to alter history, it's leaving their mark in an historic moment. I mean the "lgtm" aged like milk and the emoji reactions are pretty funny commentary.

Honestly, it's harrasment at this point.

Feels almost like tampering with evidence at a crime scene

It’s just adding your initials on the tunnel someone famous just died in.

That’s absurd. Elaborate.

Would it really have caught it?

No

... why?

my understanding is that fuzzing "caught" the issue by crashing with ifunc disabled

but it wouldn't have "caught" the backdoor which uses public key cryptography

Did the artefact produced [0] for fussing even include the backdoored .so? My understanding was that the compromised build-scripts had measures to only run when producing deb/rpms.

https://github.com/google/oss-fuzz/blob/5f70676a6c9050b9cb68...

Is the person Jia who did this PR a malicious actor?

The person who submitted the PR, JiaT75, is.

The person who approved and merged it is not.

Has that person been found yet?

Does this problem require cops, or an airstrike?

Yeah that’s what I am asking. Thanks