Can Microsoft plant backdoor on Linux source in GitHub secretly?
Linux repository - https://github.com/torvalds/linux It's open source. Everybody would be able to see it. It might be hard to figure out, but you couldn't get away with it forever. For that matter anybody who contributes to Linux could contribute a bad patch. Remember that a bad patch doesn't have to look like it has evil intent, it just looks like the author wasn't being careful with memory and... oops, there is a buffer overflow there. remember heartbleed? I'm not aware this is possible. The git commits form some kind of depended hash tree, so you can not "rewrite history" without screwing up that tree. Meaning: If someone altered the code on GitHub, the current trunks hash would change. Subsequently, if Torvalds tries to push to this repo, he would receive an error. Of course MS could offer Torvalds one "version" of the git, and everyone else a "tampered version"; keeping the two in perfect sync. But since the kernel git is also located on other sites, this tampering would show up rather sooner than later. Edit, some small nit-picking: I think this should be prefixed with "Ask HN:" ;) Is github the master, or a sync from somewhere else? Are the commits GPG signed? Does anyone here know for a fact the build/test pipeline(s) validate on checkout that git has no errors and require human intervention if it does? Never ascribe to stupidity that which can adequately be explained by malice masquerading as stupidity. straight out of the manual!