Also, I am interested by the strong reaction to this exploitation of the #OpenSource supply chain. Yes, it shows a weakness in trust and the maintainer model. There are big questions to answer. What if this was not stopped as early, or if it breached #EnterpriseLinux?
Yet at the same time, the most practical way this could have been discovered is the #FreeSoftware way. Someone was literally performance testing a PostgreSQL database, saw something weird, and shared their discovery with others.
@jwf Even more scary: what if this was in proprietary software and someone went “huh this is odd” and the company ignored the bug report completely until it was more widespread. If even at all.
@jwf@travis I've been in those situations and they're not fun:
Report: We can't release this. It would be very harmful. Produces proof of concept demonstrating the behavior under entirely usual circumstances
"It meets business requirements and the unit tests pass, so you need to explain to us all why you are trying to hold us up from meeting our promised deadlines."
@jwf@travis My favorite was when I dug in and we got the other engineer group in the room and they took one look and said, "Oh, dang, yeah, sorry - we gave you the wrong specs. You can't release that!"
Add comment