On Wed, Oct 29, 2025 at 4:42 PM Matt SIcker <[email protected]> wrote: > > Log4Shell was exploitable via a commit introduced from merging a > user-provided patch. It went through the entire review process.
Let me try to make my point more clearly. Log4Shell is clear evidence that open source dependencies can open massive security holes in infrastructure. Anything that risky needs every protection we can reasonably enable. Defense in depth is required. CTR is a necessary though not sufficient protection. There are many other necessary protections, but CTR is absolutely one of them. We cannot depend on the good judgment and good intentions of single individuals. Single software engineers can be and are compromised, hacked, and/or bought. CTR significantly raises the bar for injecting bad code into the product, both intentionally and unintentionally. It is a good and useful practice. There are many attacks on the software supply chain, and we need to detect and prevent all of them. I do not expect that any one defense will prevent every possible attack, but that means we need more than one defense, not that we should settle for zero. Code review is one of the broadest and most general defenses we have since it applies human intelligence to both known and unknown threats. It is the only defense I know that has a chance of detecting newly invented supply chain attacks before they're deployed. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
