Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
@eighthave I have to say that at least for a non-developer like myself, the insistence that the patch should be merged just as-is without changes kind of stands out as a bit of a red flag. It seems like they basically said multiple times to just integrate as-is without further discussion before doing so.
@nazokiyoubinbou I agree it is a red flag, but it is also perfectly normal for people to want their changes to be merged, especially when they are doing it on a volunteer basis and they want to wrap up that piece of work. Software is so often a rabbit hole that can easily suck down all your time. That's why this is a vulnerability. Developers understand that people want things merged, and it is generally worthwhile to merge improvements if they don't cause problems, even if they are not "done".
@eighthave It was the "just merge it as-is without further discussion" part that gets me. Strong implications that it was desired there should be no changes.