Consideration for supply chain vulnerability injection.

[Wind010]

Are the sources for the binaries under /src checked in somewhere in a private repository or are the binaries just checked in directly by contributors? I understand that a build pipeline for each of the architectures is a pain which is why I suspect the binaries are just checked in. Are the binaries scanned for any malicious code prior to being merged to main repository or just reviewed manually?

I bring this up in recent supply 10.0 chain attack with CVE-2024-3094.

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Risks:

• Malicious code running in hosted in docker container.
• Users running the malicious code outside a VM or Container.

[commjoen]

Thank you for starting a discussion on the matter, as this could have been a big issue indeed. The binaries are build in another repository ;-) and build locally by me before checking them in. Frameworks and third party libraries used are scanned and managed by Dependabot :-).
So I don’t think I am at risk there :-).