• biribiri11@lemmy.ml
    link
    fedilink
    arrow-up
    47
    ·
    edit-2
    7 months ago

    That’s barely the tip of the iceberg, too. Currently, popular projects sit at:

    31M for KDE

    25M for GNOME

    41M for Chromium

    42M for Mozilla Firefox

    17M for LLVM

    15M for GCC

    (Note that this metric includes comments and blank lines, to which Linux would count at 46M lines. Counts with blank lines and comments removed are also in those links)

    Even if a package was completely vetted, line-by-line, before it made it into a repo, would the maintainer need to get every update, too? Every PR? Imagine the maintenance burden. This code QA and maintainer burden discussion was the crux of one of the most popular discussions on the Fedora devel list.

    • lily33@lemm.ee
      link
      fedilink
      arrow-up
      25
      ·
      7 months ago

      Finally, presumably if anyone added some malicious code in a their program, it would be sneaky and not obvious from quickly reading the code.

      • Norgur@kbin.social
        link
        fedilink
        arrow-up
        38
        ·
        7 months ago

        I’d expect them to properly comment it with “#-------Begin malicious shit--------”.
        COMMENT YOUR CODE, PEOPLE!

        • lily33@lemm.ee
          link
          fedilink
          arrow-up
          13
          ·
          edit-2
          7 months ago

          Oh, in that case we don’t need to read either - just run a simple grep!

          • Norgur@kbin.social
            link
            fedilink
            arrow-up
            11
            ·
            7 months ago

            Those malicious coders are too sly for that. Some write “Sh1t” to throw grep off, others even do a “B3g1n”… They are always one step ahead!

            • lily33@lemm.ee
              link
              fedilink
              arrow-up
              5
              ·
              7 months ago

              Good point. I’d try to grep for something like [Bb3][Ee3]g[Ii1][nη]\w+<and so on> but I just know I’ll miss something

      • banazir@lemmy.ml
        link
        fedilink
        arrow-up
        12
        ·
        7 months ago

        Well yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.

        • Successful_Try543@feddit.de
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          7 months ago

          Wasn’t the problem that it the backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.

          • SuperIce@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            7 months ago

            A line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.

      • leopold@lemmy.kde.social
        link
        fedilink
        English
        arrow-up
        14
        ·
        edit-2
        7 months ago

        It’s even more bonkers than it sounds. If you look at the code locations for that KDE count, you’ll see it also includes just about every KDE project. That’s not just Plasma, that’s hundreds of projects, including some really big ones like Krita, Kdenlive, Calligra, LabPlot, Kontact, Digikam and Plasma Mobile. Hell, it even includes KHTML/KJS, KDE’s defunct web engine as well as the ancestor of WebKit and Blink. It even includes AngelFish and Falkon, KDE’s current web browser frontends.

        Same deal with GNOME. It includes just about everything on GNOME’s GitLab, even things that are merely hosted there without strictly being GNOME projects, like GIMP and GTK.

        And yet still they are both that far behind Chromium and Firefox. Modern web browsers are ludicrous.