On Mon, Jun 16, 2025 at 05:43:12PM -0400, Theodore Ts'o wrote: > The obvious counter example here is Jia Tan[1][2]. Another more recent > example is the "X11Libre" developer who had to get ejected from > Freedesk.org after contributing a huge number of questionable > commits[3]. > > [1] https://cyberscoop.com/open-source-security-trust-xz-utils/ > [2] https://www.wired.com/story/jia-tan-xz-backdoor/ > [3] https://www.phoronix.com/news/X.Org-Server-Lots-Of-Reverts
Oh, and how could I forget --- another example of "bad" contributors was Professor Kangjie Lu from the University of Minnesota and his graduate students[1]. [1] https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source This is why careful review of patches is super important, and why I am personally very dubious of the Forge Pull Request model. Unless people are super, super careful about code review, a "git pull" could very easily pull in some malicious code. Maintainers need to be super paranoid, especially for code contributions coming from an unknown new contributor. Just for myself, I find that e-mail review is just more effective; I can review patches much more easily when I am partially off-line, such as while on an airplane, or on a cruise ship. It's much more difficult to do this via a web-based Forge system. Cheers, - Ted
