A good taxonomy and attempt to make terminology common. Even if it
doesn't gel structurally the set of attack/threat trees is a good
first checklist for any open source project wanting to think about
opsec/infosec.
One wonders if the FSF, OSI are on to this and doing much to
facilitate good practice for new projects, like best practice git
setup, vetting of maintainers, multi-party authentication for builds,
secure endpoints/host hardening. Or will we just leave it to the
"many-eyes" (fingers crossed) system?
Otherwise developers might start to assume the veneer of "security"
offered by Microsoft's GitHub in some way underwrites project
integrity (when one should probably trust it about as far as you can
comfortably spit out a rat), and most of the weaknesses will happen in
the surrounding infrastructure/workflow anyway.
One wonders if the FSF, OSI are on to this and doing much to facilitate good practice for new projects, like best practice git setup, vetting of maintainers, multi-party authentication for builds, secure endpoints/host hardening. Or will we just leave it to the "many-eyes" (fingers crossed) system?
Otherwise developers might start to assume the veneer of "security" offered by Microsoft's GitHub in some way underwrites project integrity (when one should probably trust it about as far as you can comfortably spit out a rat), and most of the weaknesses will happen in the surrounding infrastructure/workflow anyway.