On Tue, Apr 2, 2024 at 6:09 PM Guinevere Larsen via Gdb <g...@sourceware.org> wrote: > [...] > What likely happened for the maintainer who acted in bad faith was that > they entered the project with bad faith intent from the start - seeing > as they were only involved with the project for 2 years, and there was > much social pressure from fake email accounts for the single maintainer > of XZ to accept help.
The infiltration appears to have started offline, earlier than June 2022. See <https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html>. > While we would obviously like to have more area maintainers and possibly > global maintainers to help spread the load, I don't think any of the > projects listed here are all that susceptible to the same type of social > engineering. For one, getting the same type of blanket approval would be > a much more involved process because we already have a reasonable amount > of people with those privileges, no one is dealing with burnout and > sassy customers saying we aren't doing enough. > > Beyond that, we (GDB) are already experimenting with approved-by, and I > think glibc was doing the same. That guarantees at least a second set of > eyes that analyzed and agreed with the patch, I don't think signed-off > would add more than that tag (even if security was not the reason why we > implemented them). Jeff
