Yes, unironically, that, being a huge leak, really convinces me that we all have multiple RCEs on each of our systems. I mean, we already kinda knew that, of course, but even now that I'm typing this it's a bit hard for me to actually believe it. But realistically I think it's pretty much a proven fact. This level of sophistication… what did I even expect? Of course well-payed teams of high-level professionals are working in this area for a very long time by now. This is basically like professional football players competing against office workers in their late thirties who like to kick a ball on weekends. I am comforting myself by thinking that something a bit more high-level, written in python or even golang, or, oh hell, maybe even rust would be more a bit more transparent for other contributors… but even this is probably a lie. And if it wouldn't be, surely tons of super-popular low-level packages written in C/C++ are as good as incomprehensible for somebody who isn't specifically security-auditing this.

I never understood and continue to be baffled by the naïveté of FOSS people giving commit access to core projects to unknown parties. Assume they're a state actor or a crazy person, until proven otherwise.

That effectively means you cannot share commit rights with anybody. How am I supposed to vet someone as not a state actor? Any plausible test could be thwarted by a motivated individual.

Synchronous socialization and meeting their friends and fam. Not knowing people well is a vulnerability.

A state actor is potentially the only person financially supported enough and willing to do this.

"You're in Zurich this weekend? Oh wow, me too. I'm holidaying with my wife. Let's grab lunch" as they proceed to prepare their military expense form for two business class tickets for them and their coworker