top | item 43079101

(no title)

scanr | 1 year ago

This could be bad for supply chain attacks. Basically the xz hack.

Step 1. Helpful person starts committing useful PRs and offers to help out until they get commit rights. I don’t think this is hard to achieve generally.

Step 2. Organised campaign of grumpy users complaining about how poorly the software is being maintained along with a bunch of pile-ons.

Step 3. Benign committer decides it’s all too much and quits. The general feeling that open source committers are undervalued makes this more likely.

Step 4. Supply chain attack by new evil committer.

discuss

barryrandall|1 year ago

It's either that, or Enterprise Linux vendors will start buying out struggling maintainers in order to make future updates subscriber-only.

gilleain|1 year ago

So might it be useful to have some mechanism to check if the 'maintainer' (owner/principal committer/?? - what Peter Murray-Rust used to refer to as the 'Dr Who') changes?

Like, when bumping the version on a dependency, the security system could check if the maintainer has changed, then you could go and double-check any changes.

bdhcuidbebe|1 year ago

We used to meed physically 15 years ago to exchange pgp keys, building verifiable chain of trust.

Its depressing to see these efforts ignored nowadays and the consequence being we still cant trust anyone online.

nradov|1 year ago

I assume there is also a black market for mature GitHub accounts. So you won't necessarily know if the maintainer is now a different person.