This is an interesting article. Zalewski is almost unique in the ability and credibility to write this. He used to work for Google in infosec, he's got a lot of experience writing code, and he no longer works for a big corporation, so he's free to say what he thinks.
More evidence that the OSS community needs to drop the “many eyes” theory of security
>The relationship with commercial vendors isn’t always healthy, but many major OSS projects are supported to a significant extent.
Almost always the so called "community" supporting a OSS project is an employee of a commercial vendor who is only interested as long as he is assigned to the project or task.
The solution is to have a full time owners and maintainers for all the critical projects and the government has to foot the bill. The govt can setup a division to identify such projects.
>In fact, here’s an interesting thought: perhaps they have known for a while. Would we be able to tell the difference between a carefully-timed disclosure — presumably engineered to conceal “methods and sources” — and a serendipitous discovery?
All that can be avoided by doing really good sets of unit tests and integration tests, then incorporate its test result into the validation part of the repository.
>In other words, all signs point to this being a professional, for-pay operation — and it wouldn’t be surprising if it was paid for by a foreign government.
Or a not-foreign government…