alt Hacker NewsThe agent can't exactly show up to an in-person key signing party, can it?
And how many people are both dedicated enough to go to key signing parties and stupid enough to let an agent act without supervision in the name of their real-world identity?
Replies
brazzy • today at 7:16 AM
If gpg-style web of trust became ubiquitous, it would require correspondingly less dedication.
And on the other hand, if this was actually working up to an xz style supply chain attack, the dedication would certainly not be lacking.
➕ show 1 reply
In this case the nathan-bot was also still on a plausible side - all the PRs looked kinda trivial & there were not outright rejections that would be a red flag for a maintainer checking the GitHub account activity during PR review.
Mucking with Bugzilla & reassigning bugs especially is what seems to have led to the discovery, rather than spotting an accumulation of nonsensical PRs or other behavior related to code unmasking the bot.