Re: Validating tarballs against git repositories
Ingo Jürgensmann <ij@2023.bluespice.org> writes:
> This reminds me of https://xkcd.com/2347/ - and I think that’s getting a
> more common threat vector for FLOSS: pick up some random lib that is
> widely used, insert some malicious code and have fun. Then also imagine
> stuff that automates builds in other ways like docker containers, Ruby,
> Rust, pip that pull stuff from the network and installs it without
> further checks.
> I hope (and am confident) that Debian as a project will react
> accordingly to prevent this happening again.
Debian has precisely the same problem. We have more work to do than we
possibly can do with the resources we have, there is some funding but not
a lot of funding so most of the work is hobby work stolen from scarce free
time, and we're under a lot of pressure to encourage and incorporate the
work of new maintainers.
And 99% of the time trusting the people who step up to help works out
great.
The hardest part about defending against social engineering is that it
doesn't attack attack the weakness of a community. It attacks its
*strengths*: trust, collaboration, and mutual assistance.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: