top | item 45593175

(no title)

Mic92 | 4 months ago

Don't they use email to accept contributions? Seems like security nightmare w.r.t to impersonation.

discuss

udev4096|4 months ago

How? It's signed with their keys. Linux kernel also uses mail lists and I have yet to see someone trying to impersonate someone

Mic92|4 months ago

I haven't seen anything about requirements for gpg. Also the ux of it is not so great, so it's easy to just not have a signature without causing too much suspicion. Would be a much easier attack than what Jian Tan pulled off. Just wait for some contributor to go on holiday and send a malicious v2 patch. There are so many patches in the linux kernel processed that no one wouldn't notice.

edoceo|4 months ago

Aren't messages and/or patches signed?

Mic92|4 months ago

I can't see any of that. They even tell you to not have any gnupg signatures: https://www.openbsd.org/mail.html