Tim Kelloggi don’t understand how people see the xz incident and conclude that open source is insecure. That level of social engineering could easily have worked on a company as well, but it was detected *because* it was open source. All other mechanisms failed, and it was just some random guy poking around that discovered it. That kind of scrutiny doesn’t happen on closed source systems
*sigh*Ber nard@kellogh I've witnessed how dev teams deal with access tokens and private keys for git repos. Assume breach is a completely logical position.
What are the odds of anyone detecting malicious activity in any of those private repos...