RCE as root is already the worst case though. The auth bypass is basically just a convenience feature of the backdoor. So yeah it's mildly interesting but not really a new development of the story.

Yes, I understand.. It's just not a surprise.

It was surprising because previously we had:

'XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable."' [0].

[0]: https://news.ycombinator.com/item?id=39877267 (811 comments)

Did you understand the XZ backdoor before the rest of us ?

We will figure it out. With all of our stubborn ways, we can document it. Clap