Testing open source patch review processes to see if malicious patches get passed is a perfectly valid thing to do. It's similar to testing that airport security catches weapons in hand luggage.

In both cases, it needs to be done with the consent of the people doing the work.

@liw What's tricky though is if you say "in the next 6 months my university is going to try to get malicious patches in", then the test is worthless.

I am not saying what was done was correct, I just don't see how one can both do a real test and get people consent. The only alternative I can think of is privately getting the agreement of subsystem maintainers, but then you still experiment with the other developers without their consent.

@agateau That would be a perfectly reasonable objection if pen testing worked that way, but in general it does not.

Chief leadership is aware of the testing. The grunts are not.

A chief reason the leadership is made aware is so that the testers don't get shot / arrested. Though that doesn't always succeed.

But yeah: pre-disclosure is not a universal binary status. It can be to a subset of the group.

See also: red-team/blue-team.


@dredmorbius @liw. Interesting. I must confess I don't know much about pen-testing.

What you describe sounds like the alternative I thought about then.

Sign in to participate in the conversation

Lars and friends