On Wed, Apr 3, 2024, 3:09 AM Florian Weimer via Gdb <g...@sourceware.org> wrote:
> * Guinevere Larsen via Overseers: > > > Beyond that, we (GDB) are already experimenting with approved-by, and > > I think glibc was doing the same. > > The glibc project uses Reviewed-by:, but it's completely unrelated to > this. Everyone still pushes their own patches, and there are no > technical countermeasures in place to ensure that the pushed version is > the reviewed version. > Or that there isn't "collusion" between a malicious author and reviewer. Just tagging it approved or reviewed by just gives you two people to blame. It is not a perfect solution either. But double checking and checklists are good practices. They are not foolproof if some bad actor is determined enough. --joel > Thanks, > Florian > >
