Hacker News new | past | comments | ask | show | jobs | submit login

Nothing is 100% guaranteed, but with an open source project, given enough users, its far less likely for someone to be able to bury nefarious stuff without many eyes looking at it and at least one person sounding an alert.

Yeah but really this isn't true. Popular open source that has tens of thousands of eyes on it still gets compromised all the time (see: npm). Even the Linux kernel has had rogue git commits injected into it.

The probem with npm isn't that open source doesn't help, its that the eyes get spread out thin when you have thousands of modules - so nobody is looking at the changes that happen in their lots of small dependencies.

Which is not to say that thats not a valid approach - but for it to work we need better tools to handle lots of git repos at once (for example, the ability to get notified about any new code on github that affects your project would be pretty cool, especially if its coming from people or organisations you haven't explicitly marked as trusted yet)

I would like to see someone try and sneak rogue commits into Linux. It would be quite the feat.

> the Linux kernel has had rogue git commits injected into it

What? Who "injected" what and when?

I'm also interested to know more about this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact