I'm trying to imagine this happening to someone like Red Hat.
BM: "We have the keys to your software repos give us money or we leak."
RH: "Here's a tarball of the sources it make your life easier, knock yourselves out! Maybe we'll even get some new developers!"
Obviously there are reason's why companies choose to keep their software closed source, but sometimes I wonder.
This would be like someone having the GPG signing key for the Red Hat official repositories. It would give them the ability to insert their own (malicious) software package into the Red Hat update stream without the signature throwing any warnings.
Isn't that why we keep revocation certs around? That doesn't really work for blackmail anyway because it is dependent on preventing the organization from knowing that you have access.
BM: "We have the keys to your software repos give us money or we leak." RH: "Here's a tarball of the sources it make your life easier, knock yourselves out! Maybe we'll even get some new developers!"
Obviously there are reason's why companies choose to keep their software closed source, but sometimes I wonder.