[TriLUG] The sad state of sysadmin in the age of containers

[Matt Flyer via TriLUG]

A dev may have been coerced, as the $5 wrench is still effective, however, if this code were reviewed and the hidden treasures were discovered your reputation would become toast and this would lead to a flurry of eyes pouring over all previous work too.  In theory, this is one of the core strengths of the open source model: it makes it harder to plant malicious code.

Alto, WRT your statement about a proper CA system making a better defense against nation state level threats: I hate to say it, but I fear that is a big problem today and it is only going to get worse as things become more unglued.  Not that long ago, I would not have believed this end would have even seen the US govt as being at worst a neutral partner whose goals were in line with my own.  Now, I see them as the enemy.

Sent from my iPad

> On Mar 13, 2015, at 3:57 PM, Igor Partola via TriLUG <trilug at trilug.org> wrote:
> 
> 
> WoT does not actually protect the code itself. It simply says "developer
> @haxor signed this release." Let's say I am @haxor and you know me
> personally and have verified my identity directly. You know for a fact that
> this code comes from me. Now, how do you know the NSA didn't compel me to
> put in a backdoor? Or that they did not compromise my workstation to insert
> a backdoor into every piece of code I release, right before I upload it to
> PyPI? The only way to verify that is for security researchers to pore over
> every piece of code released on PyPI, NPM, etc. and that's just not
> feasible because there aren't enough security researchers. All this means
> is that the last mile of code security and security guarantees is an
> incredibly hard resource allocation problem, which cannot be solved with
> release signing.