> On Apr 2, 2024, at 4:03 PM, Paul Eggert <egg...@cs.ucla.edu> wrote:
>
> On 4/2/24 12:54, Sandra Loosemore wrote:
>> Do we to harden our process, too, to require all patches to be signed off by
>> someone else before committing?
>
> It's easy for an attacker to arrange to have "someone else" in cahoots.
>
> Although signoffs can indeed help catch inadvertent mistakes, they're
> relatively useless against determined attacks of this form, and we must
> assume that nation-state attackers will be determined.
Another consideration is the size of the project. "Many eyeballs" helps if
there are plenty of people watching. For smaller tools that have only a small
body of contributors, it's easier for one or two malicious ones to subvert
things.
Would it help to require (rather than just recommend) "don't use root except
for the actual 'install' step" ?
paul
