[pixl97]

I don't have the answer here. Open source is the base of a lot of secure software. And at the same time open source software gets pulled into other functional software that has wide spread and potentially dangerous outcomes.

OpenSSL for example. Any security flaw in this package has worldwide effects, but we would be lessor without it.

Another example is the xz software that was attacked and then pulled into distributions. We were just lucky it was caught relatively early.

[haswell]

Therein lies the rub. Whatever the answer is, it will require careful and thoughtful solutions, not oversimplified conclusions that raking developers over the coals publicly with no warning is somehow “Good”.

To be clear, I have far less sympathy for big software shops that pump out negligently bad code and then have to be prodded to fix it, but they’re not the only players involved.