EVA negligent?
“ To claim a Pod, all an attacker needed to do was transmit a particular CURL request, and voila – they would have free rein to modify a Pod and insert malicious code.”
EVA could have proved the GitHub orphaned pod reclaim process was flawed and done the community a favour, by using CURL to claim all orphaned CocoaPods. They might then have used this to achieve better funding of security research by the majors… Yes, I know it’s borderline blackmail, but it is clear security researchers such as EVA are an important part of the modern IT ecosystem and even if everything were to be written in Rust would still be performing a useful task. Hence we really need to start giving them more than breadcrumbs.