This is why my trust in updates is low.

https://en.wikipedia.org/wiki/...

Updates aren't always good. Sometimes, they might introduce problems and anti-features.

(Also, didn't whoever introduced this backdoor on a wildly popular component of Linux expect to be caught?!)

Fucking hell.

This shit is only going to get worse as the shit actors are losing their grip.

I can see it not getting caught if not for it causing performance issues to someone. Makes one wonder how many of these have gone unnoticed already.

One takeaway is that you shouldn't accept a binary file to your repo unless you can verify what it is.

it would've probably been caught, just maybe not as quickly. They were rushing Fedora to include the patch so they knew they had limited time.

arguably it was also only found because of a substantial mistake; in public-facing servers, failed auth is actually a hot path within sshd so performance regressions have a huge impact.

With this hindsight, the next such attack will be optimized to hell to ensure that no one has a reason to poke around.

This smells like state sponsored work to me.