Six degrees of separation

Posted Sep 4, 2025 23:33 UTC (Thu) by johnfrombluff (guest, #90350)
Parent article: The hidden vulnerabilities of open source (FastCode)

As others have commented, this article is sensationalist clickbait, and applies to closed as well as open source.

However the sensationalist aspect is predicated on the current ability to spot LLM-generated code or email interactions. As such, it's worth pondering that this ability may erode soon as LLMs advance, and the ability of bad actors to leverage them increases. So the only response that I can see is a web of trust, similar to (open)PGP key signing parties.

Would that be feasible in day-to-day practice? (I am a hobbyist coder, not a professional). Could a maintainer do their job while only accepting commit requests from parties that we in that web of trust? Famously, everyone in the world is supposedly reachable by someone-who-knows-someone-who-knows-someone, etc.

Workable?

Six degrees of separation

Posted Sep 5, 2025 1:35 UTC (Fri) by neilbrown (subscriber, #359) [Link]

The problem I have with the web of trust is that trust is not transitive.
I trust various people and I trust different things about each. I trust this person's opinion on food, that person's opinion on music, the other person's judgement of character. In at most one of those cases is there any possibility of transitivity and it is very limited.

Trust of people is important in software development, but it mostly relates to the social aspects. Code must be analyzed and tested on the assumption that it is buggy no matter who wrote it.