I know it's kinda popular here to hate on the Go people, but RSC has an excellent technical writeup of how (part of) the xz code insertion hack actually works. Two immediate thoughts:
-
The way the malicious code inserts itself in only some circumstances and leaves almost no trace behind is legitimately cool. Very "Reflections on Trusting Trust" vibes.
-
The altered makefile is described as "plausibly inscrutable". It's probably an indictment of autoconf in particular but also programming in general that such a phrase is possible