On Wed, Oct 29, 2025 at 11:56 AM Gary Gregory <[email protected]> wrote:
> > > the vine IMO due to all of of the hoops and requests it makes on > > > contributions. > > > > Log4Shell I have. I was directly involved in the response to that clusterfuck at probably the largest Java shop on the planet. And having been through that, and multiple other emergency security response efforts caused by holes in open source software deep in the stack, I am astonished that people still think it's OK to build and build on top of projects where all that's needed to compromise the global infrastructure is to buy or steal the GitHub account of one unpaid hobbyist. No, this is not the only way systems are compromised, but it absolutely is one way, and one that's easy to protect against. Not doing that is profesional misfeasance. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
