Yet you clearly second guess and misunderstand my intentions. The real problem is the threat vector. Where is it is easier for intelligence services to operate?
> Yet you clearly second guess and misunderstand my intentions
I can only go off of what you put in plaintext.
> The real problem is the threat vector
So, explain to me the threat vector. If we have a threat vector that is substantiated by, "is Russian" then I think we have a problem. If we have a threat vector of, "Government vets first order software dependencies, but not the second order and soft dependencies of software vendors" then we have something more akin to analysis.
It took Kaspersky being affiliated with, cooperating (and serving) the FSB in order for it to be banned, not because it was established by Russians.
I wasn't trying to move goal posts. Admittedly I might be sensitive to all the question of anything affiliated with Russia is now a conspiracy style thinking that has come from certain crowds. If I unfairly lumped you in with these folks, then I apologize.
> Russian intelligence
Someone will need to prove that there is a link between JetBrains as a company and Russian intel (aka the FSB) just as what happened with Kaspersky. I doubt that this is the case. It could certainly be a rogue employee, but that's a good amount of speculation. We've seen that the FSB has no issue hacking into companies and organizations without a mole.
> and a lack of due diligence.
I described the attack. What due diligence protects against something that injects itself during compile time and only triggers on specific events?
The risk here is that Jetbrains has significant operations in Russia. It is likely a lot easier to get an FSB agent hired into a Russian office. And in fact the Russian government can just order and enforce cooperation. The USA does this all the time and every operation is classified. I would not expect anything less from Russia or China. The companies registration in the Czech Republic (or anywhere) does not prevent this.
Kasperkey is even more obvious because the founder was involved with the KGB even before the 2017 ban. It should never have been used. Now maybe Kasperkey's affiliation is akin to a "communist youth party" card and not necessarily a genuine affiliation but the point is that you can't trust and then verify in these situations. You have to assume that everyone is hostile unless proven safe.
> the point is that you can't trust and then verify in these situations. You have to assume that everyone is hostile unless proven safe.
Are you getting this from somewhere or are you explaining how you perceive the standards?
The laws I'm familiar with generally have to do with pretty specific criteria for delivering software that touches specific types/classifications of data. None of that would've caught how the JetBrains software was allegedly used to exploit the SolarWinds product. This was some pretty sophisticated stuff.
