EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024 Index 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
<== Date ==> <== Thread ==>
Subject: Re: Should we review our bugs & merges process?
From: Zimoch Dirk via Core-talk <core-talk at aps.anl.gov>
To: "anj at anl.gov" <anj at anl.gov>, "core-talk at aps.anl.gov" <core-talk at aps.anl.gov>
Date: Mon, 10 Jun 2024 08:16:20 +0000 
Hi Andrew

I agree that the merge process is slow and on the shoulders of very few people.
But we should make sure that streamlining the process does not open the door for
malicious contributions. Running in high value facilities inside critical
networks, EPICS qualifies as an attractive target for malicious actors.
See also the recently uncovered xz utils backdoor attack where an attacker
infiltrated the small team for years to build trust (while staying effectively
anonymous) and then used fake reviews to get his malicious content merged: 
https://urldefense.us/v3/__https://en.wikipedia.org/wiki/XZ_Utils_backdoor__;!!G_uCfscf7eWS!cF3AG-1A0WrezRnhAM7ztHUFdUJTr0o_QvJKG3ZIFhG5IWmeTjigjkoUk5PN9uQJLO9qrdjloHpsWuuMV7mga9r4VQ$ 

Thus, I do not consider it safe to merge change requests just because someone on
the internet said it is fine.

Am I paranoid?
Dirk


On Sat, 2024-06-08 at 19:17 +0000, Johnson, Andrew N. via Core-talk wrote:
> Saw this blog, wondering if we should look at improving our process?
> 
> https://urldefense.us/v3/__https://www.leafwing-studios.com/blog/triage-by-controversy/__;!!G_uCfscf7eWS!cF3AG-1A0WrezRnhAM7ztHUFdUJTr0o_QvJKG3ZIFhG5IWmeTjigjkoUk5PN9uQJLO9qrdjloHpsWuuMV7lqqF8AIg$ 
> 
> - Andrew
> __ 
> Complexity is free, you pay for Simplicity
References:
Should we review our bugs & merges process? Johnson, Andrew N. via Core-talk
Navigate by Date:
Prev: Build failed: EPICS Base 7 base-7.0-1146 AppVeyor via Core-talk
Next: Build failed: epics-base base-improve_mingw_host_arch_check_msg-59 AppVeyor via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
Navigate by Thread:
Prev: Should we review our bugs & merges process? Johnson, Andrew N. via Core-talk
Next: Build failed: EPICS Base 7 base-7.0-1145 AppVeyor via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
ANJ, 10 Jun 2024 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·