1

Suppose that the sole developer of a niche open source project available from an official Ubuntu repository gets to sneak a malicious commit into their project, making the otherwise useful program act as a keylogger and send the collected data to the project's server along with benign and expected data queries, or perform any other similar and clearly destructive activity.

What layers of security does Canonical provide to avoid that? Is the code available from the official repos independently audited? What if the package maintainer is in cahoots with the developer, or is the same person?

undercat
  • 102
  • 13
  • 2
    While a good-for-many-years actor can indeed change their mind one day and become a bad actor, it's exceedingly rare and not limited to software. The question seems written to (perhaps unintentionally) imply that complete third-party code audits of all commits are the best solution...but that is unrealistic for several reasons (are you going to pay for it?) Note that the tinfoil-hat types in the community are likely to notice the extra activity and network overhead reasonably quickly, and discover the issue...it's not clear if you consider that a layer of security or not. – user535733 Mar 28 '19 at 15:55

0 Answers0