(moving this to gentoo-user as this is really getting off-topic for -dev) On Sun, Mar 31, 2024 at 7:32 AM stefan11111 <stefan11111@shitposting.expert> wrote: > > Had I seen someone say that a bad actor would spend years gaining the > trust of FOSS > project maintainers in order to gain commit access and introduce such > sophisticated > back doors, I would have told them to take their meds. > This is insane.
It makes quite a bit of sense though. For a low-activity FOSS project, how much manpower does it take to gain a majority share of the governance? In this case it is one person, but even for a big project (such as Gentoo) I suspect that 3-4 people working full time could probably hit upwards of 50% of the commit volume. That doesn't have to be 3-4 "Gentoo developers." It could be 3-4 human beings with 1 admin assistant who manages 50 email addresses that the commits get spread across, and they sign up as 50 Gentoo developers and get 50 votes for the Council (and probably half the positions there if they want them), the opportunity to peer review "each other's" contributions, and so on. I just use Gentoo as an example as we're all familiar with it and probably assume it couldn't happen here. As you go on, the actual targets are likely to be other projects... > If this happened to something like firefox, I don't think anyone would > have found out. > No one bats an eye if a website loads 0.5s longer. It seems likely that something like this has ALREADY happened to firefox. It might also happen with commercial software, but the challenge there is HR as you can't just pay 1 person to masquerade as 10 when they all need to deal with payroll taxes. We're going on almost 20 years since the Snowden revelations, and back then the NSA was basically doing intrusion on an industrial scale. You'd have dev teams building zero days and rootkits, sysadmin teams who just administrate those back doors to make sure there are always 2-3 ways in just in case one gets closed, SMEs who actually make sense of the stolen data, rooms full of engineers who receive intercepted shipments of hardware and install backdoors on them, and so on. We're looking at what probably only one person can do if they can dedicate full time to something like this. Imagine what a cube farm full of supervised developers with a $50M budget could do, and that is pocket change to most state actors. The US government probably spends more than that in a year on printer paper. -- Rich
