On Thu, Oct 30, 2025 at 4:39 AM Elliotte Rusty Harold <[email protected]> wrote:
> On Wed, Oct 29, 2025 at 4:42 PM Matt SIcker <[email protected]> wrote: > > > > Log4Shell was exploitable via a commit introduced from merging a > user-provided patch. It went through the entire review process. > > Let me try to make my point more clearly. Log4Shell is clear evidence > that open source dependencies can open massive security holes in > infrastructure. Anything that risky needs every protection we can > reasonably enable. Defense in depth is required. CTR is a necessary > though not sufficient protection. There are many other necessary > protections, but CTR is absolutely one of them. > > We cannot depend on the good judgment and good intentions of single > individuals. Single software engineers can be and are compromised, > hacked, and/or bought. CTR significantly raises the bar for injecting > bad code into the product, both intentionally and unintentionally. It > is a good and useful practice. There are many attacks on the software > supply chain, and we need to detect and prevent all of them. I do not > expect that any one defense will prevent every possible attack, but > that means we need more than one defense, not that we should settle > for zero. Code review is one of the broadest and most general defenses > we have since it applies human intelligence to both known and unknown > threats. It is the only defense I know that has a chance of detecting > newly invented supply chain attacks before they're deployed. > I think you mean "RTC" but that is not the point. Nobody is saying we should not be reviewing commits. That's why they are all published. As PMC members it is our collective responsibility to review commits. Having them bundled into PRs doesn't make that any easier, IMO. At the end of the day, the commits are the changes. The best thing we can do - not just here, but in every OSS community - is to get more eyeballs on code. That means building communities. Byzantine processes make that harder. Phil > > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
