Author: ZmnSCPxj 2021-10-04 03:59:34
Published on: 2021-10-04T03:59:34+00:00
In this email conversation, ZmnSCPxj suggests that attempts to attack the review process waste contributors' time and proposes improving the review process to prevent such attacks from succeeding. They suggest that developers should be able to opt-out or opt-in of a study aimed at hardening the review process with an opt-out being available for those with limited time or other reasons. The proposed scheme involves requiring each commit message to have a pair of 256-bit hex words with public attempts at attack or testing using the first 256-bit as a salt. Those opting-out will run a script that checks commit messages for whether the first 256-bit hex word concatenated with "THIS IS AN ATTACK", then hashed, is the second 256-bit hex word. However, it is noted that a putative NSA attack would not use the above protocol, and thus no developer can ever opt out of an NSA attempt at inserting vulnerabilities.
Updated on: 2023-06-15T02:26:42.672132+00:00