alt Hacker NewsIt's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
Replies
hsbauauvhabzb • today at 4:03 AM
lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification.
calvinmorrison • today at 2:39 AM
and unlike GPL software, there is typical an army of lawyers, an expressed warranty, legal liability, etc.
➕ show 1 reply
I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better.