undefined | Better HN

0 pointssimiones2y ago0 comments

It's important to focus on people, not just code, when suspecting an adversary. Now, I have no idea if this is the right account, and if it has recently been compromised/sold/lost, or if it has always been under the ownership of the person who committed the backdoor. But IF this is indeed the right account, then it's important to block any further commit from it to any project, no matter how innocuous it seems, and to review thoroughly any past commit. For the most security-conscious projects, it would be a good idea to even consider reverting and re-implementing any work coming from this account if it's not fully understood.

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

0 comments

2 comments · 1 top-level

tux32y ago· 1 in thread

I agree we should look at the account and its contributions, I make a distinction between the account and the person.

Sometimes the distinction is not meaningful, but better safe than sorry.

tsimionescu2y ago

Oh, agreed then.

j / k navigate · click thread line to collapse