Those should be closed WONTFIX. Neither doas nor sudo can protect you from the consequences of running untrusted code and must not attempt to do so because it adds needless complexity to safety-critical software.
Then you are overlooking two things that provide important context: her previous behavior in similar circumstances of discovering bugs, and the opening sentence:
> My life as a mercenary sysadmin can be interesting.
To me this reads as "I was hired as a consutant for something that required a very restrictive NDA."
- There is no commit with a SHA1 like that in atop Git history and what you shared is too long for a SHA1, it looks more like a SHA256. Did you share the right checksum? The only other way I can read this is that it's a SHA256 checksum of one of the past atop release tarballs or artifacts. I have not yet checked those.
- I have tried finding your tool Bismuth but all I find is things KDE and crypto currencies. Please share a link to the Bismuth that you are working on.
- You technically said that you are working on Bismuth /and/ found something, not that you found the bug /through/ Bismuth. Please clarify if and how that was the case.
- That SHA is just a proof marker so if it turns out we are correct we can prove we had it at that time
- Bismuth did indeed find the bug, our bug scanning feature in particular. Obviously we're going to sit on our hands until the maintainer gives the all clear but we'll write something up after this is all squared away
pretty sure it's just a hash of some text they can reveal later, to prove that they had something at this point in time. not referring to any release or commit
