- cross-posted to:
- foss@beehaw.org
- cross-posted to:
- foss@beehaw.org
Greetings everyone. It is with much regret that I am writing this post. A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.
We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.
I agree that reproducible builds would be ideal and modifying binary releases is trivial, but any step forward is better than no review process at all.
There’s no such thing as a perfect system. It’s all about increasing the number of hoops for an attacker to jump through. This is at least a step in the right direction.