His code contributions have always been high quality, and they’re audited by his peers. Its very unlikely malicious code would come from him, and even more unlikely it would make it through on to your phone.
While he’s certainly unhinged, it’s clear that he cares deeply for the project. I can’t see him doing anything intentionally malicious.
I really wish him the best, and I’m glad he stepped down. Much better for optics with him out of the way.
This might age horribly, but I never really understood the worry that a high-profile open source developer might ‘smuggle’ some dodgy code into a repo. Sure, it’s possible. Especially in large projects, but the risk/reward ratio is simply ridiculously bad and there are so many other/simpler ways out there a malicious actor could use to make a profit.
His code contributions have always been high quality, and they’re audited by his peers. Its very unlikely malicious code would come from him, and even more unlikely it would make it through on to your phone.
While he’s certainly unhinged, it’s clear that he cares deeply for the project. I can’t see him doing anything intentionally malicious.
I really wish him the best, and I’m glad he stepped down. Much better for optics with him out of the way.
This might age horribly, but I never really understood the worry that a high-profile open source developer might ‘smuggle’ some dodgy code into a repo. Sure, it’s possible. Especially in large projects, but the risk/reward ratio is simply ridiculously bad and there are so many other/simpler ways out there a malicious actor could use to make a profit.
The risk is definitely not higher than the risk of some closed sorce dev smuggling something dodgy into a high profile project like e.g. Windows.
That said, I would trust an unknown git repo about as much as I would trust some exe I found on a random website.