Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > There is not much one can do when a maintainer with signing/release 
  > power does something intentionally wrong.

That is clearly true.  I don't think we should propose changes in tools
with the idea of preventing such sabotage outright.

We should also point out that free software is still far safer
than nonfree software.  With nonfree software, intentional sabotage
is normal practice (see https://gnu.org/malware/) and unintentional
gross security failures are not unusual.

However, this case could suggest improvements in practices or tools
that would catch more mistakes, and some instances of sabotage too.
It can't hurt to think about possibilities for that,

Just as long as we don't insist on perfect or nothing.
Because, as you said, no change in tools could protect perfectly
against this soft of devious sabotage.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)