
Can Microsoft plant backdoor on Linux source in GitHub secretly? - CoderCV
Linux repository - https:&#x2F;&#x2F;github.com&#x2F;torvalds&#x2F;linux
======
PaulHoule
It's open source.

Everybody would be able to see it. It might be hard to figure out, but you
couldn't get away with it forever.

For that matter anybody who contributes to Linux could contribute a bad patch.
Remember that a bad patch doesn't have to look like it has evil intent, it
just looks like the author wasn't being careful with memory and... oops, there
is a buffer overflow there.

~~~
java-man
remember heartbleed?

------
archi42
I'm not aware this is possible. The git commits form some kind of depended
hash tree, so you can not "rewrite history" without screwing up that tree.

Meaning: If someone altered the code on GitHub, the current trunks hash would
change. Subsequently, if Torvalds tries to push to this repo, he would receive
an error.

Of course MS could offer Torvalds one "version" of the git, and everyone else
a "tampered version"; keeping the two in perfect sync. But since the kernel
git is also located on other sites, this tampering would show up rather sooner
than later.

Edit, some small nit-picking: I think this should be prefixed with "Ask HN:"
;)

------
LinuxBender
Is github the master, or a sync from somewhere else? Are the commits GPG
signed? Does anyone here know for a fact the build/test pipeline(s) validate
on checkout that git has no errors and require human intervention if it does?

------
BentFranklin
Never ascribe to stupidity that which can adequately be explained by malice
masquerading as stupidity.

~~~
java-man
straight out of the manual!

