May be useful for us to somehow ‘scope’ this XZ issue somehow in things that are ‘in’ our domain - and things that are (well)outside the software industry domain.
E.g. - a typical state actor that is able to fund/control a person for several years surreptitiously is in itself hard to avoid - in the commercial world, in the open source world or even deep within the intelligence community. These things happen. And you sort of accept that - and focus on things such as 4-eyes and so on in the normal world. While you let the spook’s do their thing in their field of expertise. But you generally do not expect industry to tackle this head on. I.e. we expect the shipping industry around Rotterdam harbour to make smuggling drugs fairly hard & expensive. But there is a certain range of activities that we expect the police and the governments to do. But you do not expect a software company to (or open source) whose primary process it is to build the right software - to become deep experts at such a tertiary field. On the other hand - if instead of a state actor inducing/coercing/participating one would look at, say, a volunteer that is being ’stupid’ - then it is in our realm. (Stupid here can be like those professors a few years ago that here experimenting with introducing vulnerabilities to see how fast they would be spotted — but may also be humans that feel a need for some protection, things they can barter with (e.g. with their local powers) or things they can cash in in times of need (e.g. in a bug bounty programme for hard US dollars). And then it is much more in our realm to see if we can solve it. But somehow I think it would be good to determine where we can go and where not. I.e. the analogy of drugs smuggling and the role of, say, a transport company or a truck driver company. With kind regards, Dw --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
