Unpopular opinion: The UMN security researchers that executed a successful supply chain attack on the kernel did a public service.
Can state actors get away with this too? Did they already?
We need serious reform in open source code review.
I have no intention of actually doing this, but the point stands.
Domains of a number of past kernel contributors have expired.
Someone could just take one of those over and submit a patch from the same email.
Email domain bans are not a solution.
@lrvick The issue is real but they completely fucked up the execution of the test. The number one thing to do is get approval for testing which they didn't. They could've worked with the maintainers but chose not to. They totally deserved what they got.
@nob0dy get approval from who? The actual people that sign off on the commits?
Meanwhile anyone can still submit code anonymously and do this again, only this time for a state actor.
The university exposed a massive process flaw banning emails from a particular EDU won't fix.
@nob0dy I committed anonymously to the kernel. If someone coerced me I could do it again, only this time I could be asked to slip in something extra.
How will they catch me? Clearly the review process is not sufficient.
The security researchers proved a point very successfully.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!