Contemplating Gus's
https://forum.lazarus.freepascal.org/index.php/topic,57564.0.html there was another recent exploit where somebody persuaded users of what was in principle a robust toolchain to import malicious content from an obfuscated file
https://hackaday.com/2021/12/16/pinephone-malware-surprises-users-raises-questions/Somebody recently pointed out that the Lazarus IDE has a "Publish Project..." facility as standard, and that this provides an easy way that a user can attach example code to a forum posting where he was asking for help. I admit that that hadn't previously occurred to me, and encouraging people to use it would appear to be a good idea... subject obviously to the difficulty of getting inexperienced users to attach /anything/ to their demands for immediate assistance.
Is there any way that the IDE could be persuaded to sign the group of source files which constitute a published project, so that the community could have some confidence that nothing unexpected has been added manually? There would obviously still be problems with "execute before/after" shell scripts, but at least it would protect from stuff e.g. buried in an image resource.
Or would the difficulty of doing such a thing and the likelihood that it could be subverted by any user who could extract the salt from the IDE's source make this undesirable since it would encourage misplaced confidence?
MarkMLl
p.s. Happy Midwinter Solstice everybody
Recent
