Originally posted by lowflyer
View Post
Open source's weakness is also its strength: while just about anyone can make malicious/devious changes without much restriction, just about anyone can identify such changes too. So really, if large open-source projects are to be safe, all it really takes is having enough eyes (ideally anonymous) inspect the commits for suspicious activity. Personally, I think this is necessary beyond security reasons - it's also good to identify potential conflicts or inefficient code.
Thinking that "you can extrapolate the intentions" of a malicious actor is blue-eyed. You would not even know that you have been set-up.
I would be more worried about a NATO country spying on me, since they have a lot more power over my life.
Commonplaces like "all code from all sources should be vetted" do not help because that's like saying "if the others would do like I do ...". Saying "being sourced from China isn't a compelling reason" is being blue-eyed.
Let me repeat: This is not about China specifically. A few years back I had another incident that was caused by a German developer.
Leave a comment: