undefined | Better HN

0 pointspjmlp4y ago0 comments

How do ensure it wasn't a malicious maintainer?

That information is meaningless if traces back to an empty room.

0 comments

If the project has a malicious maintainer, it's easier to find out if it's in the open - and either forcing change or not using the project at all. It's impossible to do that when you have no access to that information in the first place.

It's not perfect but it's something vs nothing. I'll take something every time.

pjmlpOP4y ago

How do you track down a malicious maintainer, introducing a back door slowly during one year long, a little change at a time, given how long CVEs in OpenSSL have been unnoticed as example?

j / k navigate · click thread line to collapse