[Discuss] Is open source more secure at the current level of AI?

[richard.pieri at gmail.com (Rich Pieri)]

On Thu, 9 Apr 2026 18:37:47 -0400
markw at mohawksoft.com wrote:

> Trust me, I've been in the industry for over 4 decades. Any company
> that puts the effort into scanning their source also will scan the
> open source. This has been common practice for well over a decade. I
> have personally managed CVE detection and mitigation in two companies.

There's even a sub-industry specializing in this. We use three
different vendors' (that I know of, there might be more that the
release group uses that I'm not aware of) systems to scan EVERYTHING we
pull in from outside, EVERYTHING we run, EVERYTHING we write
internally, EVERYTHING we build, and EVERYTHING we ship to our
customers.

We sign everything we ship with a dedicated security appliance. Our
customers can be confident that nothing has been tampered with after it
leaves our network. And if developers forget to sign their test builds?
Or they try to pull in things that aren't authorized? One of those
security systems will kill it and quarantine it. If it isn't validated
and signed then it does not run.

-- 
\m/ (--) \m/