More malware in the source? Could be…

The other day, we discussed a little bit the recent issue discovered in the the UnrealIRCd server where someone had compromised the source distribution to insert a nasty rootkit.  It’s an interesting event, and there’s still plenty of shakeup about it.

This morning, I came across someone asking the question of how much more of this type of activity might be out there that we just haven’t found yet.  A good question, if a bit scary to consider.   It comes down to something I’ve thought for a while now, which is: if you crowdsource a process, you have to weigh very carefully the impact of what happens if the crowd doesn’t respond.  In the case of collaborative development – such as an open source project – when you crowdsource security audit of the code, you have to also consider what happens if the crowd doesn’t deliver.

It’s a useful question to consider – I don’t mean to be a FUDmonger about this, but I think there could be more of these on the horizon.  I guess time will tell.