undefined | Better HN

0 pointsanonymousab4y ago0 comments

> The thing that people should be upset about is that such an important open source project so easily accepts patches which introduce security vulnerabilities

They were trusting of contributors to not be malicious, and in particular, were trusting of a university to not be wholly malicious.

Sure, there is a possible threat model where they would need to be suspicious of entire universities.

But in general, human projects will operate under some level of basic trust, with some sort of means to establish that trust. To be able to actually get anything done; you cannot perfectly formally review everything with finite human resources. I don't see where they went wrong with any of that here.

There's also the very simple fact that responding to an incident is also a part of the security process, and broadly banning a group whole-cloth will be more secure than not. So both them and you are getting what you want it of it - more of the process to research, and more security.

If the changes didn't make it out to production systems, then it seems like the process worked? Even if some of it was due to admissions that would not happen with truly malicious actors, so too were the patches accepted because the actors were reasonably trusted.

0 comments

twic4y ago

The Linux project absolutely cannot trust contributors to not be malicious. If they are doing that, then this work has successfully exposed a risk.

anonymousabOP4y ago

Then they would not be accepting any patches from any contributors, as the only truly safe option when dealing with an explicitly and admittedly, or assumed known malicious actor is to disregard their work entirely. You cannot know the scope of a malicious plot in advance, and any benign piece of work can be fatal in some unknown later totality.

As with all human projects, some level and balance of trust and security is needed to get work done. And the gradient shifts as downstream forks have higher security demands / less trust, and (in the case of nation states) more resources and time to both move slower, validate changes and establish and verify trust.

j / k navigate · click thread line to collapse