Definitely not widely accepted that by using open source software, you inherently trust any random person able to submit code to a mailing list from Gmail.
Pretty big difference between trusting the developers of a project and trusting anyone able to submit patches to it.
Conversation
I mean. What?
Yeah it is. No one sits and audits every line of code in ANY FOSS software they use, nor even the contributors list.
The top 5 contributors list here shows two major cohorts NOT from known institutions:
news.itsfoss.com/huawei-kernel-
2
You REALLY were somehow surprised by the revelation that tons of anonymous or near-anonymous contributors work on the Linux kernel?
REALLY?
GIF
read image description
ALT
1
1
You're simply continuing to make disingenuous arguments. I never said anything of the kind.
I'm well aware of the serious systemic security issues of the Linux kernel, which go way beyond an unsafe language and very lax code review. I really don't need you to explain it to me.
1
1
Why are you clutching pearls over the results of the UMN study, then?
1
Clutching pearls? What? I'm simply explaining that to many people, the findings of the study are far from obvious. It was obvious to me, and clearly to you, but it isn't to many people. Scientific studies demonstrating something some people think is obvious aren't useless.
2
1
They could have found a way to do this kind of study in an ethical way, and I don't think it would be useless.
Some projects have stricter code review, safer languages / architectures, etc. Some don't take public patches (SQLite). It's not universally the same situation at all.
1
Sure, but those projects operate at a *vastly* different scale both in terms of contributers AND users, than does the linux kernel.
1
1
(Also I'm pretty sure I don't agree with your first remark at all)
1
The scale of the Linux kernel is an architectural choice and is an approach promoted by the people in charge of the development process as superior to the alternative of dividing it up into isolated components. They don't even want out-of-tree code to exist at all. Their choice.
2
The scale of the kernel is not a problem they were given, but rather the development and architectural choice they made and continue to promote. They want a monolithic kernel. They want all drivers, etc. as part of the upstream project and deliberately make the alternatives hard.
A substantial part of my job is mitigating security issues with the Linux kernel and working towards phasing it out as part of the trusted computing base in as many areas as possible.
Used to include submitting improvements and security fixes upstream, but hasn't for a while.