Am I right in thinking that a reviewer sees the same page as the author
when looking at a new version of an extension, just with the additional
option to approve the extension?
If this is the case, then it is trivial to sneak malicious code through
the review process.
Steps to reproduce:
Insert malicious code into extension and submit new version.
Go to review page and reject your new version.
Change shell version or some other trivial change.
Upload new version.
Observe review page shows a diff from the rejected version, thus
the reviewer only sees the trivial change and approves the
extension.
If this is right, then the review diff really needs to be changed to
show a diff from the last APPROVED version.
Attachment:
signature.asc
Description: This is a digitally signed message part