Re: Security lessons from liblzma

On 4/8/24 22:57, Bruce Momjian wrote:
> On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote:
>> An awful lot of what we do operates on the principle that we know the
>> people who are involved and trust them, and I'm glad we do trust them,
>> but the world is full of people who trusted somebody too much and
>> regretted it afterwards. The fact that we have many committers rather
>> than a single maintainer probably reduces risk at least as far as the
>> source repository is concerned, because there are more people paying
>> attention to potentially notice something that isn't as it should be.
>
> One unwritten requirement for committers is that we are able to
> communicate with them securely. If we cannot do that, they potentially
> could be forced by others, e.g., governments, to add code to our
> repositories.
>
> Unfortunately, there is on good way for them to communicate with us
> securely once they are unable to communicate with us securely. I
> suppose some special word could be used to communicate that status ---
> that is how it was done in non-electronic communication in the past.

I don't know how that really helps. If one of our committers is under
duress, they probably cannot risk outing themselves anyway.

The best defense, IMHO, is the fact that our source code is open and can
be reviewed freely.

The trick is to get folks to do the review.

I know, for example, at $past_employer we had a requirement to get
someone on our staff to review every single commit in order to maintain
certain certifications. Of course there is no guarantee that such
reviews would catch everything, but maybe we could establish post commit
reviews by contributors in a more rigorous way? Granted, getting more
qualified volunteers is not a trivial problem...

--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com