elharo commented on PR #91: URL: https://github.com/apache/xerces-j/pull/91#issuecomment-4126897242
What it means is that a single individual, including a compromised account, can't unilaterally submit and merge a PR. It's not everything we need, but it is something we need. I.e. necessary but not sufficient. What most concerns me about the new class of attacks is that it's no longer necessary for a product to ship with the malware to infect people. Committing it to the repo is sufficient to infect other developers who simply checkout and build the code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
