1 year ago

Whether you call it a Trojan horse or a https://owasp.org/www-community/attacks/Code_Injection, there is more risk than ever of hackers not only gaining access to your code, by persuading you that they are a known, valued contributor. This risk multiplies in large-scale open source communities that have not only thousands of contributors, but dependencies on other open source projects. Since https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?cmp=pr-sig have at least some open source components, according to an April report from https://www.synopsys.com/software-integrity.html?utm_content=inline-mention this isn’t just an open source problem.

The emerging security best practice of masking metadata prevents this preferential treatment and reduces the likelihood of successful malicious code injection.

Blanket application of masking of metadata would also risk the community part of an open source community.