@stf The more I work in security the more I feel like being part of a large scheduling algorithm: we discover some information, associate some risk, then people will end up workin on some specific stuff. If we cause priority inversion, starvation, etc. then we are a bad scheduler.
In this case:
- The original recommendation ("uninstall it!") turned out to be totally unsubstantiated, we can by all means call it misinformation
- Secrecy about details added to the fear and also *actively misdirected efforts* both at level of security teams and at devs/researchers (see the confusion about #330 & people looking at new commits to find backdoors)
Since no significant new attack surface/vector was presented I don't even think the code will get that much of scrutiny as exploitability is pretty low (local with user interaction).
In the end, the cost-benefit analysis looks really bad to me.