If there was malicious code in a legitimate project...

Codeberg.org's posts Post Back to profile

If there was malicious code in a legitimate project hosted on #codeberg, would we remove access to it, including for security researchers?

Short: No!

We are considering how to prevent fetching malicious code by accident, though.

In any case, we are open to collaborating with security researchers. Interested? Help us build a malware hunting team: https://codeberg.org/Codeberg/Contributing/issues/44

Background: #GitHub locked access to source code of xz, which was background of active investigation from the community.

Like 31 March at 21:21 | Open on social.anoxinon.de

5 comments

Codeberg.org

To people looking for an archive of the XZ code, you might want to check out https://tukaani.org/xz-backdoor/ which links to https://git.tukaani.org/. GitHub is not the only source of truth, although meta information about the Pull Requests is locked in to this silo.

31 March at 21:24 | Open on social.anoxinon.de

Olfred

@Codeberg Many thanks for your work on openess. It's another proof that git history is not sufficient and we cannot tolerate a locked silo like Github. PR, issues, comments and everything else are an essential part of the repository, the code is not enough.

31 March at 21:28 | Open on mamot.fr

Pluto

@Codeberg There is also a softwareheritage.org archive https://archive.softwareheritage.org/browse/origin/directory/?origin_url=https://github.com/tukaani-project/xz

1 April at 0:00 | Open on chaos.social

minecraftchest1

@Codeberg One idea I have for preventing accidental fetches of malicious code would be to prevent access through the primary domain, and require the use of a seperate (sub)domain such as [caution.codeberg.org](caution.codeberg.org), or [codeberg-caution.org](codeberg-caution.org). Weither this is done throgh a seperate instance it is cloned to, or via special handeling in the forejo would be up to debate.

1 April at 0:17 | Open on social.opendesktop.org

Daniel Parks

@Codeberg I think it makes sense to block vanilla git clone and the download buttons to prevent people from accidentally packaging or installing it.
I think what I would do is something like requiring the use of a special URL in order for clones to succeed.

31 March at 21:36 | Open on infosec.exchange