[greglindahl]

People have thought about how to prevent it -- it's not a new issue.

[tchaffee]

In that case could you provide a source or two for those of us who want to get up to date with the current thinking?

[greglindahl]

Here's one example, you can find many more with a little googling: https://stackoverflow.com/a/39708317/1370917

If you look at the question, you can see that some people don't make the connection that the motivation behind code signing is figuring out who committed suspicious code. Code that has security bugs is one interest, another is code which the committer didn't have permission to commit, for example proprietary code.

[tchaffee]

Thanks for the link. So I submit some code that is signed and it's a good contribution that closes an issue. I intentionally include a subtle bug. My friend who lives in a different country uses the bug bounty program to fix the bug and he collects the money. How do you detect that scenario with code signing?