Thoughts?

  • いなり@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    This might age horribly, but I never really understood the worry that a high-profile open source developer might ‘smuggle’ some dodgy code into a repo. Sure, it’s possible. Especially in large projects, but the risk/reward ratio is simply ridiculously bad and there are so many other/simpler ways out there a malicious actor could use to make a profit.

    • Square Singer@feddit.de
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      The risk is definitely not higher than the risk of some closed sorce dev smuggling something dodgy into a high profile project like e.g. Windows.

      That said, I would trust an unknown git repo about as much as I would trust some exe I found on a random website.