Security quote of the week
— Josh Bressers (Thanks to Paul Wise.)If you want to make a big deal about something, maybe it shouldn't be what country a sole maintainer is from. Let's face it, the Russians aren't dumb enough to backdoor a package owned by a guy living in Russia. They're going to do something like pretend to be from another country with a name like Jia Tan, not Boris D. Badguy. This isn't a Rocky and Bullwinkle episode. [...]
Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number). Most of it is one person. And I can promise you not one of those single person projects have the proper amount of resources they need. If you want to talk about possible risks to your supply chain, a single maintainer that's grossly underpaid and overworked. That's the risk. The country they are from is irrelevant.
Posted Sep 4, 2025 13:22 UTC (Thu)
by Vit0ld (subscriber, #111367)
[Link]
the problem though, is that for any such a contributor, this might quietly change, unnoticed by anybody except the contributor and whatever secret organization puts the pressure on him
I think