in cui spiega che non basta disporre de codice sorgente di un SW per essere sicuri che non includa malware, ma bisogna controllare tutta la catena verticale, dall’HW ai compilatori.
Il caso SolarWinds rientra in questa casistica.
— Beppe
Per dirla con il ricercatore David A. Wheeler: [4]
The long-term goal should be that “we can ensure that all OSS compiled
code is accurately represented by its source code”. The source code
may include malicious statements, but source code is what developers
review, so we’ve fundamentally changed the game to ensure that “what
is reviewed is what is run”.