Re: Should we review our bugs & merges process?

[Zimoch Dirk via Core-talk <core-talk at aps.anl.gov>]

Hi Andrew

I agree that the merge process is slow and on the shoulders of very few people.
But we should make sure that streamlining the process does not open the door for
malicious contributions. Running in high value facilities inside critical
networks, EPICS qualifies as an attractive target for malicious actors.
See also the recently uncovered xz utils backdoor attack where an attacker
infiltrated the small team for years to build trust (while staying effectively
anonymous) and then used fake reviews to get his malicious content merged: 
https://urldefense.us/v3/__https://en.wikipedia.org/wiki/XZ_Utils_backdoor__;!!G_uCfscf7eWS!cF3AG-1A0WrezRnhAM7ztHUFdUJTr0o_QvJKG3ZIFhG5IWmeTjigjkoUk5PN9uQJLO9qrdjloHpsWuuMV7mga9r4VQ$ 

Thus, I do not consider it safe to merge change requests just because someone on
the internet said it is fine.

Am I paranoid?
Dirk


On Sat, 2024-06-08 at 19:17 +0000, Johnson, Andrew N. via Core-talk wrote:
> Saw this blog, wondering if we should look at improving our process?
> 
> https://urldefense.us/v3/__https://www.leafwing-studios.com/blog/triage-by-controversy/__;!!G_uCfscf7eWS!cF3AG-1A0WrezRnhAM7ztHUFdUJTr0o_QvJKG3ZIFhG5IWmeTjigjkoUk5PN9uQJLO9qrdjloHpsWuuMV7lqqF8AIg$ 
> 
> - Andrew
> __ 
> Complexity is free, you pay for Simplicity