On 4/2/24 12:54, Sandra Loosemore wrote:
Do we to harden our process, too, to require all patches to be signed off by someone else before committing?
It's easy for an attacker to arrange to have "someone else" in cahoots.Although signoffs can indeed help catch inadvertent mistakes, they're relatively useless against determined attacks of this form, and we must assume that nation-state attackers will be determined.