The world got crazy when XZ backdoor got discovered. Yet we have not seen any detective work being done to find out who did it.
@UncleIroh i agree with jonathan blow on why open source sucks. there should be only handful of people making commits and community can only report bugs and vote on features. no pull/merge requests.
Hard disagree. That's precisely what git policies are for.
@Justicar
You just have to assume that open source software is rife with bugs. Sometimes it's unintentional, other times they are malicious, effectively zero-day exploits.
Plenty of history here too. I remember the Heartbleed "bug" back in 2014 that compromised the openssl library. The effect was enormous.
More recently the log4j bug and of course the amount of npm fuckery is off the charts.
Check out the sneaky git commit on the attached pic, done when no-one would ever be looking.