The main difference between the Webmin RCE and similar build infrastructure attacks in proprietary tools is that since Webmin is FOSS, it has the opportunity to use Reproducible Builds so we all can detect this kind of attack in the future.
@kyle on the bad side, the backdoor was unknown by the developers for over a year (they knew there was a vulnerability but thought it was their code). On the good, and FOSS enabled side, it was detected and it was only in the Source Forge repository, not the Github repository. And it's fixed now, and people who look for that sort of thing are aware of another vulnerability.
@kyle on the bad side, the backdoor was unknown by the developers for over a year (they knew there was a vulnerability but thought it was their code). On the good, and FOSS enabled side, it was detected and it was only in the Source Forge repository, not the Github repository. And it's fixed now, and people who look for that sort of thing are aware of another vulnerability.