Unpopular opinion: The UMN security researchers that executed a successful supply chain attack on the kernel did a public service.
Can state actors get away with this too? Did they already?
We need serious reform in open source code review.
@nob0dy get approval from who? The actual people that sign off on the commits?
Meanwhile anyone can still submit code anonymously and do this again, only this time for a state actor.
The university exposed a massive process flaw banning emails from a particular EDU won't fix.
@nob0dy I committed anonymously to the kernel. If someone coerced me I could do it again, only this time I could be asked to slip in something extra.
How will they catch me? Clearly the review process is not sufficient.
The security researchers proved a point very successfully.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.