[scanr]

This could be bad for supply chain attacks. Basically the xz hack.

Step 1. Helpful person starts committing useful PRs and offers to help out until they get commit rights. I don’t think this is hard to achieve generally.

Step 2. Organised campaign of grumpy users complaining about how poorly the software is being maintained along with a bunch of pile-ons.

Step 3. Benign committer decides it’s all too much and quits. The general feeling that open source committers are undervalued makes this more likely.

Step 4. Supply chain attack by new evil committer.

[barryrandall]

It's either that, or Enterprise Linux vendors will start buying out struggling maintainers in order to make future updates subscriber-only.

[gilleain]

So might it be useful to have some mechanism to check if the 'maintainer' (owner/principal committer/?? - what Peter Murray-Rust used to refer to as the 'Dr Who') changes?

Like, when bumping the version on a dependency, the security system could check if the maintainer has changed, then you could go and double-check any changes.

[bdhcuidbebe]

We used to meed physically 15 years ago to exchange pgp keys, building verifiable chain of trust.

Its depressing to see these efforts ignored nowadays and the consequence being we still cant trust anyone online.

[nradov]

I assume there is also a black market for mature GitHub accounts. So you won't necessarily know if the maintainer is now a different person.

[gilleain]

Good point.

Also, where would the information be stored? If it was in the repo itself (as metadata) then the malicious maintainer could just not update it ...