On Wed, Apr 3, 2024, 3:09 AM Florian Weimer via Gdb <gdb@sourceware.org>
wrote:

> * Guinevere Larsen via Overseers:
>
> > Beyond that, we (GDB) are already experimenting with approved-by, and
> > I think glibc was doing the same.
>
> The glibc project uses Reviewed-by:, but it's completely unrelated to
> this.  Everyone still pushes their own patches, and there are no
> technical countermeasures in place to ensure that the pushed version is
> the reviewed version.
>

Or that there isn't "collusion" between a malicious author and reviewer.
Just tagging it approved or reviewed by just gives you two people to blame.
It is not a perfect solution either.

But double checking and checklists are good practices. They are not
foolproof if some bad actor is determined enough.

--joel



> Thanks,
> Florian
>
>