This is an excellent piece. I often wonder about adversarial security issues in large scale OSS projects like Linux kernels. You don't even need to hack commit access to repo. One can intentionally wrap malicious code out in plain sight in an otherwise what would appear as benign change (thanks to undefined behaviour in C/C++). What if a black hat hacker climbs up in Linux contributors hierarchy? What if a person who is already higher up in OSS hierarchy decide to defect and plant a logic bomb? Given that Linux kernel now runs majority of our world from servers in data center to mobile phones in our pockets and hospitals to war machines, security issues like this is a huge deal.
It's a pretty scary prospect, to the point that I have to imagine it's already happening to some degree. If a nation state wants a backdoor, what better way than to bribe the cash-strapped OSS maintainer of that little project that every company depends on.
The problem is that the type of engineers that work on OSS takes own integrity very seriously, and they build their network of trust on that integrity.
