Hello, On Thu, Nov 24, 2022 at 08:08:46PM -0500, Jeffrey Walton wrote: > On Thu, Nov 24, 2022 at 7:28 PM Andy Smith <a...@strugglers.net> wrote: > > ... > > I think the most obvious counter-argument is that it would be a waste of > > effort and human assets to put exploits in open source software where > > they stand a good chance of being found, while there is so much closed > > source software (firmware, drivers, agents, …) and similar targets that > > can be used instead. If you have a developer (or a whole corporation) in > > your pocket, why do you want to burn them by having them put something > > malicious in an open source project? > > https://www.theregister.com/2003/11/07/linux_kernel_backdoor_blocked/
That isn't a conspiracy to design an entire application that is hostile to the user, it was an example of an opportunistic attempt to insert a backdoor by an anonymous identity with no standing within the project. No conspiracy needed, and no assets burned. It's also been tried many times since. It (submitting kernel patches with security flaws in them) has even been tried by university researchers to try to determine how easy or difficult it is for a paper. The fact that it was quite easily spotted shows how fruitless this is for the most part. And also shows how likely it is that closed source software does contain these things, since far fewer people will ever be able to tell. It's obviously not impossible to slip something by from time to time, it's just not that effective. Outside of cryptocurrency, anyway! Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting