Why the Linux kernel is hardly at risk

[ghshephard]

My reading of this article is that Linus's machine is the real target if you want to inject malware into the kernel undetected.

[dolbz]

Really the point is that nothing can be injected into the git history undetected. To add any new code to the repository it needs to be put at the top of the 'stack' as the last commit. So even if someone got access to Linus' (or any other high level dev) machine they wouldn't be able to inject malware undetected as a look at recent commits would show the changes made.

[kahawe]

Yep, the very detailed article comes down to one basic fact: "we always have lots of copies on our and other people's machines so we can always track ANY possible modifications."

In that regard, I guess it could be more "likely" to sneak in a very, very well hidden and cryptic exploit in contributed code.

[lloeki]

In reality such an exploit will be more likely to trigger both automated and human alarms in each different repo.

[kahawe]

Depending on how hidden and cryptic it is.

[mstroeck]

No - Linus' machine is still just another node. Git is fully distributed. Everything in that article still holds.

[ori_b]

Linus, however, is not distributed. If a malicious commit was discreetly slipped into his repository as a seemingly Linus-sourced change, there is enough trust in him that the change would likely propagate.

[exDM69]

Not without going through a quite extensive review process and then finally getting signed off (with a crypto signature) by several people.

It's not entirely impossible but there are far more easier ways of getting malware out there.

[gnosis]

The ultimate goal might not be to simply get malware out there per se, but to discredit Linux's reputation as a secure OS.

If that is the case, going to extra trouble to infect Linux kernel source may well be worth it for the attackers.