• Kissaki@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    19 days ago

    We don’t need to trust anybody.

    Reviewing every change and discovering every issue is unfeasible on multiple levels. Even skipping that fundamental, base level requirement; you need to trust in trustworthiness from submitters and reviewers, and that people review. You need to trust those maintainers that can push and pull and merge. You need to trust the builders and publishers and distributors.

    I doubt you’re reviewing every code change and compiling or verifying reproducible builds on every software and patch version you run. You put trust in the chain. And the chain decided to cut at some point because of risk.

    Besides, the idea that employed developers with a Russian day job are a risk… but one fails to consider these were the honest ones who declared their day job.

    So you think people do only one job and have only one concern? Do you think people of sanctioned countries, contributing to an unjust war, more or less directly, are a bad place to start reducing risks?

    I feel like properly vetting commits to the kernel that does not involve the core contributors and maintainers too much is the way to go.

    I’m baffled you can make this point while at the same time not accepting their decision after review, assessment, and consequence. You’re asking them to review while not accepting their decision. From the same people.