Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > There is not much one can do when a maintainer with signing/release 
  > power does something intentionally wrong.

That is clearly true.  I don't think we should propose changes in
tools with the idea of outright preventing insider sabotage.

We should also point out that free software is still far safer than
nonfree software.  With nonfree software, intentional sabotage and
back doors are normal practice (see https://gnu.org/malware/), and
unintentional gross security failures are not unusual.

However, this case could suggest improvements in practices or tools
that would catch more mistakes, and some instances of sabotage too.
It can't hurt to think about possibilities for that,

That's useful to think about, as long as we don't insist that the
target is perfection.  Because, as you said, no change in tools could
protect _perfectly_ against devious sabotage by maintainers.

We may need more maintainers on some of the tools in question.
Aside from autoconf and automake, what tools are involved here?


-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)