Comment by flowerlad
4 years ago
But this raises an obvious question: Doesn't Linux need better protection against someone intentionally introducing security vulnerabilities? If we have learned anything from the SolarWinds hack, it is that if there is a way to introduce a vulnerability then someone will do it, sooner or later. And they won't publish a paper about it, so that shouldn't be the only way to detect it!
So, it turns out that sometimes programmers introduce bugs into software. Sometimes intentionally, but much more commonly accidentally.
If you've got a suggestion of a way to catch those bugs, please be more specific about it. Just telling people that they need "better protection" isn't really useful or actionable advice, or anything that they weren't already aware of.
That question has been obvious for quite some time. It is always possible to introduce subtle vulnerabilities. Research has tried for decades to come up with a solution, to no real avail.
Assassinating the researchers doesn't help.
The Linux team found the source of a security threat and have taken steps to prevent that security threat from continuing to attack them.
You can't break into someone's house through their back window, tell the owners what you did, and not expect to get arrested.
People don't scream "how are we going to know that people can break into houses through broken windows without these heros!?"
10 replies →
> Doesn't Linux need better protection against someone intentionally introducing security vulnerabilities?
Yes, it does.
Now, how do you do that other than having fallible people review things?