Insecure dev machines.

Posted Oct 22, 2024 16:11 UTC (Tue) by farnz (subscriber, #17727)
In reply to: Insecure dev machines. by ballombe
Parent article: Python PGP proposal poses packaging puzzles

Not really - one of the "open secrets" about security is that most people don't get hacked by simple luck, not because they're particularly secure.

Debian hasn't collapsed because hacking a distro developer's machine in order to insert malware into the distro packages is a high-risk, low-reward path when you compare it to faking an identity to become an upstream developer of something critical (for example). You'd not only need to hack a DD's machine, but also to do things that don't cause either the hacked DD, or another DD, to become suspicious about your actions; but something like doing an NMU to a maintained package with no clear reason is likely to get people's attention.