Gregory's Server
@jwildeboer yes… but. I’m now wondering if there are other instances we haven’t caught, or caught yet. Seems optimistic to assume that we’ve spotted a solitary instance of a very sophisticated approach to sneaking in back doors.
At a minimum, it might be time to revisit the practice of key signing parties and doing more to vet contributors.
@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.
We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.