On 2024-03-29 23:29:01 -0700 (-0700), Russ Allbery wrote: [...] > if the Git repository is somewhere other than GitHub, the > malicious possibilities are even broader. [...]
I would not be so quick to make the same leap of faith. GitHub is not itself open source, nor is it transparently operated. It's a proprietary commercial service, with all the trust challenges that represents. Long, long before XZ was a twinkle in anyone's eye, malicious actors were already regularly getting their agents hired onto development teams to compromise commercial software. Just look at the Juniper VPN backdoor debacle for a fairly well-documented example (but there's strong evidence this practice dates back well before free/libre open source software even, at least to the 1970s). If anything, compromising an open project or transparent service is probably considerably harder, these sorts of people thrive in the comfort of shadows that the proprietary software world offers them, and (thankfully) struggle in the open, like with the rather quick identification and public response demonstrated in this case. I would be quite surprised by similarly rapid or open discussion from a proprietary service who discovered a saboteur in their ranks. -- Jeremy Stanley
signature.asc
Description: PGP signature