There is a tremendous amount of software created and maintained by Russian developers running on Windows, MacOS and Linux. One example would be NGinx which runs a good deal of websites on the internet. NGinx is now owned by F5 but still maintain the same developers. There is probably a better way to verify code, risk rank flaws and assign a level of trust. This should be an ongoing and ideally automated effort regardless of who is contributing code or hardware.
I personally would like to see AI be able to review entire code bases and see the bigger picture because state sponsored lawful intercepts are rarely one piece of code but rather require multiple pieces of code and sometimes hardware to work in conjunction to form the back door.
Yesterday I learned that a lot of crucial stuff in Postgres was developed by Russians (the list I saw was quite extensive). So if you run nginx+Postgres (like half the Internet?) then WinRAR is least of your concerns
That's a fair point. Perhaps a solution could be that if someone were willing to pick up the par2cmdline code base and work with the 7-zip developers to merge it into their command line and GUI then there may not be many reasons left to utilize WinRAR.
I've met many incredibly talented eastern European engineers, who seem to overwhelmingly enjoy low-level programming (compilers, database internals, etc.). I don't see the concern.
They live in a country where you can literally get arrested for walking around with a blank piece of paper. Just because you MIGHT write something subversive on it.
The ability of the Russian government to lean on incredibly talented developers is extremely large.
The Russian government has recently shown itself to be willing and even eager to use coercive tactics against its own people.
The trust issues with software developed by Russians isn't that the engineers are Russian. It's that the engineers and their families are currently in Russia.
How is that conclusion came to mind? Did they wrote the entire code in Russian or the code just don't run on Russian computers?
If you don't know, this is not even the first file compression related exploit. "Zip Slip"(0) for example, is just one year old, and there are many of them out there.
I personally would like to see AI be able to review entire code bases and see the bigger picture because state sponsored lawful intercepts are rarely one piece of code but rather require multiple pieces of code and sometimes hardware to work in conjunction to form the back door.