[geenat]

Probably a backdoor.

Repositories controlled by accounts based in mainland China and Russia are always a risk- it's too easy for a dictatorship to force something to happen even if the authors themselves are trying to act in good faith.

XZ, Swoole... examples off the top of my head.

[protocolture]

> it's too easy for a dictatorship to force something

We really need to get rid of this mentality. Australia has laws that allow undisclosed, compelled, software updates. Verbally by ministers, but written (confidential) changes can be requested by federal agencies. Many western countries have followed to various degrees. There's no stable trusted government that doesn't want its fingers in your code.

[geenat]

I agree it's not good but being realistic: I'd be far less worried about the Australian government stealing/selling customer data, using my servers in a botnet, using my servers to spread malware.. etc.

Mainland China, Russia, North Korea, all have proven track records of doing these things and having corporate espionage rat lines: https://www.youtube.com/watch?v=y27B-sKIUHA

[jamie0]

a backdoor would still be a backdoor - even if the "good guys" made it. e.g. Dual_EC_DRBG

[bigiain]

And from outside, it certainly seems like those “good guys” are edging closer and closer to a malicious dictatorship recently. (If you don’t see that from inside, try asking a trans person. Or a non white person. Or a Canadian. Or a woman who wants reproductive health care.)

[cmsj]

You're not worried about a member of the Five Eyes coalition stealing data? Wild.

[protocolture]

strong speculation that fortigates annual SSL VPN CVE's are simply government backdoors.

[tetromino_]

Where did you see signs of control by Russia or China? The project's github repo states that the project currently has one maintainer, and that maintainer has a very Dutch name and a .nl website.

[ThePowerOfFuet]

Talking about the author of the suspicious commits. In another repo:

https://github.com/xroche/httrack/pull/210/commits/e00339643...

[lionkor]

What about the fact that software is hosted on US/German/Australian/whatever else platforms and infrastructure, what's different with that, technically speaking? The fact that a majority of software we rely on is hosted on GitHub, isn't that scary the same way that a repo owned by someone in a other country is scary?

Does a government need to openly act in a specific way for there to be a risk, or is this perceived risk due to a media bias?

I'm genuinely curious if there's a good answer

[geenat]

GitHub has a lot to lose if it was leaked that they were knowingly facilitating backdoors behind the scenes- many pay for the convenience and trust.

By the same standard, what are the repercussions for these random fly by night accounts? Just make a new account and try again on an existing project or fork / tweak / rebrand another project.

Steam, VSCode, PyPI, NPM... it would ruin those platforms overnight if they were putting in backdoors themselves.

[lionkor]

Reputational loss isn't a good argument either, because what the comment I replied to said is that repositories in control of people in e.g. Russia are dangerous. That implies that a Russian or Chinese maintainer of popular open source software is not safe, whereas someone employed by an American company is.

However, maintainers have a reputational loss risk, just like someone working at a company does, no?

And, of course, GitHub could just replace the file you're served when you download a file from it, and then blame a hacker, a rogue employee, or deny it happened. That is just as well technically possible as any other entity being forced, by their government, to do something, no?

And, of course, if a govt forces you, your reputation is not the thing you're worried about.

I understand your argument, but that seems like it's a different argument from the one I was disagreeing with.

[heavyset_go]

These are all good questions where the answer is usually something along the lines of solving them with reproducible builds and Nix, which sounds good until someone points out where the Nix ecosystem gets its funding.

[lionkor]

Again, what is the issue with funding? If I get funding from the German government, am I more trustworthy than someone who gets funding from the Hungarian government, like, really? Is there a real, tangible risk here that does not exist with other governments?

Of course the US government isn't scary if you're in the US, but not everyone is, and governments change.

I'm asking not whether it feels like there's a risk, I'm asking whether, factually speaking, there is a significant enough risk that outweighs all else. Is there?