Jeremy Stanley <fu...@yuggoth.org> writes: > On 2024-03-29 23:29:01 -0700 (-0700), Russ Allbery wrote: > [...] >> if the Git repository is somewhere other than GitHub, the >> malicious possibilities are even broader. > [...]
> I would not be so quick to make the same leap of faith. GitHub is > not itself open source, nor is it transparently operated. It's a > proprietary commercial service, with all the trust challenges that > represents. Long, long before XZ was a twinkle in anyone's eye, > malicious actors were already regularly getting their agents hired > onto development teams to compromise commercial software. Just look > at the Juniper VPN backdoor debacle for a fairly well-documented > example (but there's strong evidence this practice dates back well > before free/libre open source software even, at least to the 1970s). This is a valid point: let me instead say that the malicious possibilities are *different*. All of your points about GitHub are valid, but the counterexample I had in mind is one where the malicious upstream runs the entire Git hosting architecture themselves and can make completely arbitrary changes to the Git repository freely. I don't think we know everything that is possible to do in that situation. I think it would be difficult (not impossible, but difficult) to get into that position at GitHub, whereas it is commonplace among self-hosted projects. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
