|
|
|
|
|
|
by jandrewrogers
298 days ago
|
|
|
It mostly doesn't work like that even for closed source in DoD. They have to weigh the risk against the very high cost of mitigating the risk. Their resources are large but not infinite. Even if they trust the developer they may not trust their process. There are many cases of trusted developers having their development environments compromised such that bad actors were able to insert modifications into source trees, in commits signed by the developer. Most code is not developed in anything remotely resembling a high security context. |
|
|