Agreed - the end of the article does state compiling untrusted repos is effectively the same as running an untrusted executable, and you should treat it with the same caution (especially if its malware or gaming cheat adjacent)

Well that’s certainly no light read - I’ll admit that I’ve only read the first six sections of the document for now

The crux of it that I could see was the initial repo that was backdoored contained a malicious Windows command in the PreBuildCommand field of .vbproj file

My initial thoughts would be that it might be advisable for build tools to confirm any defined build commands with the user when it detects a command not seen before?

I suppose otherwise the argument could be made that if you’re downloading and compiling code that is backdoored, if you’re not checking .vbproj or equivalents, you’re probably also not auditing any source code either and you’re being pwned either way.

I wouldn’t think so - it depends on your priorities.

The open source and offline nature of this without the pretenses of “Hey, we’re gonna use every query you give as a data point to shove more products down your face” seems very appealing over Gemini. There’s also that Gemini is constantly being shoved in our faces and preinstalled, whereas this is a completely optional download.