[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> There is not much one can do when a maintainer with signing/release > power does something intentionally wrong. That is clearly true. I don't think we should propose changes in tools with the idea of outright preventing insider sabotage. We should also point out that free software is still far safer than nonfree software. With nonfree software, intentional sabotage and back doors are normal practice (see https://gnu.org/malware/), and unintentional gross security failures are not unusual. However, this case could suggest improvements in practices or tools that would catch more mistakes, and some instances of sabotage too. It can't hurt to think about possibilities for that, That's useful to think about, as long as we don't insist that the target is perfection. Because, as you said, no change in tools could protect _perfectly_ against devious sabotage by maintainers. We may need more maintainers on some of the tools in question. Aside from autoconf and automake, what tools are involved here? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
