Re: [GTALUG] supply chain risks: a real example

2022-03-18 Thread Lennart Sorensen via talk
On Fri, Mar 18, 2022 at 12:53:06PM -0400, Alvin Starr via talk wrote: > This is not just an open source issue since anybody can inject bad code into > a project. > Open source being more open has fewer people working to hide issues. > > This is defiantly an example of someone taking an action with

Re: [GTALUG] supply chain risks: a real example

2022-03-18 Thread D. Hugh Redelmeier via talk
| From: Alvin Starr via talk | As for the github posting about an NGO being damaged. | There are a hand full of things that raise red flags for me. | None of these are clear indicators of fakery but make me scratch my head and | want to look more closely at this before taking it at face value. |

Re: [GTALUG] supply chain risks: a real example

2022-03-18 Thread Alvin Starr via talk
This is not just an open source issue since anybody can inject bad code into a project. Open source being more open has fewer people working to hide issues. This is defiantly an example of someone taking an action without thinking about the potential for collateral damage. But multiple state an

[GTALUG] supply chain risks: a real example

2022-03-18 Thread D. Hugh Redelmeier via talk
Supply chain risks are important in open source: with so many contributors, how can one be sure that there aren't malicious components? (Buggy components are also a threat.) (Closed source has this problem too, with some variations.) This is a scary real current example: