Gary Buhrmaster wrote:
> What I do think we should start with is look at the
> list of dependencies in the list of whatever we
> can agree are security critical packages (running
> as root and opening network ports is always a
> good start) and dependencies which are not
> supported by a large-ish organization (even if
> only informal), with a set of experienced
> developers, and sufficiently funded to continue
> support of the package, and has a good security
> reporting and response process in place.
What if, as in the case of SELinux, said "large-ish organization" is exactly
the kind of organization one would expect to plant a backdoor like this?
Also, a "large-ish organization" can be secretly contacted by the
intelligence agencies of the country it resides in and tasked to implement
secret backdoors for them. It has happened with large proprietary software
providers, so why could it not happen with a large organization developing
Free Software?
Projects done by a "large-ish organization" are NOT immune to this kind of
attack. It would just be executed differently, not as a hostile takeover by
one "motivated new maintainer" as for an individual hobbyist project like
xz.
Kevin Kofler
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
