They did fuck up quite a bit though.
They injected their payload before they checked if oss-fuzz or valgrind or ... would notice something wrong.
That is sloppy and should have been anticipated and addressed BEFORE activating the code.
Anyway. This team got caught. What are the odds that this state-actor that did this, that this was the only project / team / library that they decided to attack?
This is a state sponsored event.
Pretty poorly executed though as they were tweaking and modifying things in their and other tools after the fact though.
As a state sponsored project. What makes you think this is their only project and that this is a big setback?
I am paranoid myself to think yesterdays meeting went like :
"team #25 has failed/been found out. Reallocate resources to the other 49 teams."
For the duration of a major release, up until ~x.4 pretty much everything from upstream gets backported with a delay of 6-12 months, depending on how conservative to change the rhel engineer maintaining this part of the kernel is.
After ~x.4 things slow down and only "important" fixes get backported but no new features.
After ~x.7 or so different processes and approvals come into play and virtually nothing except high severity bugs or something that "important customer" needs will be backported.
Very early google was full of passion and people that wanted to build cool things for users. There was a passion where building things that would surprise and delight users.
The process when this changed was slow but I think started 2008-2010 where passion for building something was no longer what drove people but instead the promo-process, having impact and moving the needle became what drove people. Not passion but promo-process changed the culture dramatically over time.
Me and friends used to call it the LPA cycle. (L)aunch, get (P)romo, (A)bandon and switch team. And towards the second half of the 2010s it became a de-facto rule. Once something launches with a big fanfare, after next promo-cycle almost l5 and higher engineers leave to chase their next promo in a different team.
You can see this over and over after ~2015. High velocity and innovation until launch and shortly after it grinds to a stop. very sad to see this change from early google.
Anyway. This team got caught. What are the odds that this state-actor that did this, that this was the only project / team / library that they decided to attack?