Two GCC stories

Posted Jun 30, 2010 16:51 UTC (Wed) by gmaxwell (guest, #30048)
In reply to: Two GCC stories by fsateler
Parent article: Two GCC stories

Of course it matters: A large part of the incentive structure that improves our confidence that someone isn't planning on doing "bad things" is the fact that if you do bad things people with uniforms can come and lock you up and you know it. The existence of consequences allows us to make some additional reasonable assumptions about the future behaviour of apparently sane people.

Reputation is informative by itself, and the loss of reputation is a consequence, but it really isn't much of one as people can maintain several reputation building personalities at once... and especially not compared to some of the consequences which are available when we can reliably track someone to their one and only meat-space identity.

to post comments

Two GCC stories

Posted Jun 30, 2010 17:08 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses)

Of course it matters: A large part of the incentive structure that improves our confidence that someone isn't planning on doing "bad things" is the fact that if you do bad things people with uniforms can come and lock you up and you know it.

That would make sense if the FSF refused contributions from nations that had no extradition treaty with the United States. But it doesn't (because that would mean locking most of the world out of development of FSF-owned projects, and because it's obviously ridiculously intrusive, and, well, if you're planning to do bad things you can lie about your country of origin just as easily as you can lie about your name).

Two GCC stories

Posted Jun 30, 2010 20:08 UTC (Wed) by nteon (subscriber, #53899) [Link] (1 responses)

yes, but it seems to me to be a lot less risky to accept a fixed, isolated changeset into a version control repository than giving someone a shell on a (seemingly) multi-purpose box.

Two GCC stories

Posted Jun 30, 2010 22:19 UTC (Wed) by nix (subscriber, #2304) [Link]

Certainly true enough.

Two GCC stories

Posted Jul 2, 2010 0:57 UTC (Fri) by gdt (subscriber, #6284) [Link]

That would make sense if the FSF refused contributions from nations that had no extradition treaty with the United States.

Extraditing people to the country of the affected server is both unusual and contentious, ref Gary McKinnon.

Most counties have laws against computer misuse. An overseas complainant can contact the police and provide evidence to prosecutors.

The US isn't the world policeman

Posted Jul 2, 2010 9:25 UTC (Fri) by copsewood (subscriber, #199) [Link]

Online reputation and software development are global, computer misuse laws are local and national. The idea that software development integrity requires extradition to the US depletes the external reputation of the US, especially amongst those aware of extradition misuse, as with the Gary McKinnon case.

Two GCC stories

Posted Jun 30, 2010 17:12 UTC (Wed) by madscientist (subscriber, #16861) [Link]

I don't know how it works now but when I got my account on the GNU machines (as best as I recall--it was almost 15 years ago) I had to send a photocopy of my driver's license to the FSF. I also had a phone conversation with someone at the FSF (to verify my phone #--although I don't have that number anymore) and during that phone call they verified my SSH key fingerprint. Also when you do any copyright assignment to the FSF, it's all done via snail-mail (and IIRC you cannot use P.O.Boxes for legal reasons) so they have a valid address for you... and of course if you're getting a login account on an FSF machine it's a very fair bet that you'll need to be doing some sort of copyright assignment.

The FSF is different than some other environments where "getting access" just gives you the ability to promote git code over SSH or HTTPS or similar: for the FSF you get an actual login account, with shell access and everything, on their servers and this gives you a LOT of capability for mischief.

The FSF systems HAVE been hacked before and it's very unpleasant. I definitely do not begrudge them this requirement. It's not like NightStrike has to publish his information to everyone; it just needs to be available to the FSF folks. I see absolutely nothing unreasonable about this.

I do agree that if the only requirement is that he email them a "real sounding" name, the whole thing is ridiculous... in that case I support his refusal on the grounds of civil disobedience :-)

Two GCC stories

Posted Jul 1, 2010 12:28 UTC (Thu) by epa (subscriber, #39769) [Link] (4 responses)

Quite. The key point is that you can make as many pseudonyms as you want, but you have only one real name. If there were some way of checking that this 'Nightstrike' is also called by the same name in other contexts, such as his or her day job, and of guaranteeing that the same person cannot invent new ones, then it wouldn't matter what the name is.

From a computer-security point of view, as Nightstrike points out, it makes no sense to ask for a real name without doing any verification on it. But from a social point of view, encouraging the use of real names rather than anonymous or psedonymous handles can create a better atmosphere for collaboration. The online encylopaedia Citizendium, for example, has a policy that everyone contribute under their real name. It is held that this will tend to get better contributions and more mature discussions.

Two GCC stories

Posted Jul 1, 2010 15:16 UTC (Thu) by k8to (guest, #15413) [Link] (2 responses)

A little point. People can make up new real names.

Screen names vs real names

Posted Jul 3, 2010 3:12 UTC (Sat) by giraffedata (guest, #1954) [Link] (1 responses)

A little point. People can make up new real names.

It's actually a pretty big point. There is little distinction between what we're calling a "real name" and "NightStrike." There are countries where a person has a single well-defined legal name (not to mention number), but plenty where a person doesn't. The U.S. is one of the latter. Also, some countries have a dictionary from which you must choose a name, but most, including the U.S., don't.

A person can not only make up a new name, but go by multiple ones at the same time and use a name as silly as he pleases. Legal procedures come into play if you want to force someone else to call you that, and you're not allowed to use a name with intent to defraud, but the essential point is that a name is not an identity and vice versa.

It makes sense for FSF to want to have the name or names that a person uses with his bank account, residence, and criminal convictions, in addition to enough additional identifying information to disambiguate that name. But it doesn't make sense just to ask for a "real name."

Screen names vs real names

Posted Jul 3, 2010 4:00 UTC (Sat) by gmaxwell (guest, #30048) [Link]

I don't really mean to single out you, but a number of the comments here reflect what I perceive to be a kind of "computer engineer's autism" ... a notion that things are binary, that a preventative measure either works in an absolute, quasi-mathematical sense, or its worthless.

But the world doesn't fit into nice little binary boxes like that. It's quite possible for someone to join a project with fully honest intentions and only to later decide to do something dishonourable, perhaps inspired by some dispute or the like. Of course, they're less likely to do so if they'd given their real name at the start, taking the risk of real repercussions. So even if you do _nothing_ more than to ask for a real name and perform no validation that does provide a value. It's not an absolute proof: nothing is... Just an additional piece of confidence that costs most people very little.

... and does the FSF really want important contributors who need to hide their connection? For their sake and the FSF's it would probably better if someone who needs to hide their affiliation didn't contribute in that way. Anonymity is a powerful and important tool, but it is often a danger: Under the believed guise of anonymity we'll engage in activities we would otherwise deem to risky. Should that anonymity be shattered we regret our decisions to depend on it.

Of course, people do manufacture multiple online identities. I've seen quite a few instances of people building up multiple admin accounts on the English Wikipedia each representing at least a hundred hours of work, if not several hundred, building social connections, community trust, and making useful contributions to the encyclopaedia. Are they more likely to just make up another 'real name' than build a virtual reputation? I don't know asking for a real name doesn't do much against someone who came in with an intent to defraud. Like the locks on most doors and containers, asking for a name helps keep honest people honest. I think it's obvious that if you ask for both a real name and a virtual reputation you get a superior protection compared to doing either alone.

It might be the case that the FSF should be doing more detailed identity-validation... I don't know what they do today, as I know too many FSF people fairly personally, and I don't have a good feel for what level would be sufficient for their needs. But I do think we need to reject these binary notions of security. The world's problems have infinite shades of grey, and our tools needs to be as numerous and varied if we are to address these issues. Regardless of how lossy the existing process is that lossyness is an argument for strengthening it, not for abandoning the protection it currently provides, however small.

Two GCC stories

Posted Jul 1, 2010 15:43 UTC (Thu) by nix (subscriber, #2304) [Link]

I'm not really sure the nearly-moribund Citizendium is the best possible example to bring up in this context :)

Two GCC stories

Posted Jul 1, 2010 17:30 UTC (Thu) by vonbrand (subscriber, #4458) [Link] (3 responses)

I've yet to see anybody being able to "build several reputations" at once... besides that it is a lot of work to build a solid reputation, the reward from squandering it would have to be very large indeed.

Two GCC stories

Posted Jul 1, 2010 23:42 UTC (Thu) by Kissaki (guest, #61848) [Link] (2 responses)

This sounds to me like what I have heard described as an "alt" or a "sock puppet". I've seen multiple people do / use this to build two (or more? How do you know?) reputations at once.

Admittedly the tendency seems to be to build at least one troll reputation in my experience, but the point is that multiple reputations seems pretty common to me.

Two GCC stories

Posted Jul 2, 2010 12:08 UTC (Fri) by sorpigal (subscriber, #36106) [Link] (1 responses)

The important thing, I think, is that when someone goes through the trouble of building multiple reputations he doesn't trash them casually. If I have a troll identity and a respectable identity you can probably trust the respectable identity to remain respectable even if I were committing major crimes with another identity.

Two GCC stories

Posted Jul 4, 2010 3:18 UTC (Sun) by Kissaki (guest, #61848) [Link]

It sounds to me like the possibility exists that the reputation would not be trashed casually.

That reputation could be used as a tool to accomplish something worth more than the time spent to develop it. This is social engineering. Access to the development of GCC could (paranoia talking) be a stepping stone to compromising a wide variety of software.

In addition, you are assuming that the resulting identity would be 'trashed'. A clever intruder would not expose him (or her) self as a wrongdoer (where is the gain in that), but would act in secret. You might never discover their actions.

Online identity and reputation is worth something; no question. But you place too high a value on it in my opinion.

Two GCC stories

Posted Jul 8, 2010 21:08 UTC (Thu) by landley (guest, #6789) [Link] (1 responses)

> Of course it matters: A large part of the incentive structure that
> improves our confidence that someone isn't planning on doing "bad things"
> is the fact that if you do bad things people with uniforms can come and
> lock you up and you know it.

So we shouldn't allow any developers from outside our current legal jurisdiction? No developers from bangladesh, the ukraine, brazil, malaysia, africa... Because even if you have their GPS coordinates, filing a complaint against them here in the US won't have Large Blue Men pounding on their doors any time soon.

Also, the lead developer on Gentoo Embedded is solar@gentoo.org, who put Ned Ludd in the real name field. That's not his real name:

http://en.wikipedia.org/wiki/Ned_Ludd

In that particular case, I have met him in person (after knowing him online for a few years, we got together at an embedded Linux conference), and it turned out he's actually male, which means he's not using the single most common reason for online handles. (Which is the same reason Val Henson went by "Val" for so long, and Pat Mochel went by "Pat".) There are parts of the net on which being obviously female attracts unwanted attention.

And no, linux-kernel isn't the only place that comes up:

http://www.tgdaily.com/games-and-entertainment-brief/5055...

As for the FSF, in the 1980's their high-bandwidth FTP site (provided by MIT) was their killer app, a unique resource that drew developers to them. Back then just about the only way for an individual to get online distribution for their code was to sign it over it to the FSF so they would put it up on their FTP site. (Which is why Larry Wall handed patch over to the FSF, back before he wrote Perl.) People were willing to jump through the copyright assignment hoops and put up with the extremist political rhetoric in order to get internet distribution for their code.

All that changed in 1993 when NSF changed its (AUP) Acceptable Use Policy to allow for-profit firms to connect directly to the internet, which allowed everything from home ISPs to companies like Yahoo:

http://landley.net/history/mirror/nsfnetaup.txt

And suddenly you didn't _need_ the FSF to distribute your code anymore, you could put it anywhere. And that's about when the FSF started a long slow downhill slide.

Linux didn't render the FSF irrelevant: Geocities did.

Rob

Two GCC stories

Posted Jul 9, 2010 17:13 UTC (Fri) by nix (subscriber, #2304) [Link]

You do realise that you devalue your own words as soon as you start describing the carefully reasoned arguments in the FSF's many articles as 'extremist political rhetoric', right?

(Your point about the FSF's FTP site stands, but not that well: there were many other high-bandwidth sites around even in the 80s with very large repositories of code on them. Much of that code was dramatically less free than the GPL or BSD licenses: oddly, nobody remembers most of that stuff anymore, while the GPL-licensed code soldiers on.)