top | item 39882701

(no title)

rigid | 1 year ago

I bet in the majority of cases, there's no need to pressure for merging.

In a big company it's much easier to slip it in. Code seemingly less relevant for security is often not reviewed by a lot of people. Also, often people don't really care and just sign it off without a closer look.

And when it's merged, no one will ever look at it again, other than with FOSS.

discuss

yborg|1 year ago

An insider could just be tasked to look for exploitable vulnerabilities in existing code and compile this information for outside entities without ever having to risk inserting a purpose-made backdoor. Considering the security state of most large codebases, there would be a bottomless well of them.

91bananas|1 year ago

Who wants this job, that is capable of actually doing it properly?

sylware|1 year ago

I think you nailed it.