Supply chain attacks are a concern. In practice I've never heard of one of these coming about because of old committer account compromise. I have seen them happen because:
1. A threat actor actively targets a project and becomes a coimmitter by submitting good patches over time. 2. An entire project —including repo, accounts, and credentials — is sold to a bad actor. The first seems to be committed by nation states. The second seems to be committed by spammers and adware cretins. What we can do to defend against this threat is to protect the master branches on github, require every commit to be associated with a PR, and require a code review for every commit. I'll point again to https://github.com/apache/maven-dependency-plugin/pull/444 If this would break release scripts and other tooling, then it's time to rewrite those scripts. Currently I routinely notice commits that have not gone through a PR or code review. Sometimes I'll look closer if I'm bored, but that's rare. Right now almost any comitter could push arbitrary code into our plugins and if it's sneaky enough, or in an out of the way location, no one would notice until it's too late. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
