|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Mar 30, 2024 9:48 UTC (Sat) by kazer (subscriber, #134462)
In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz

> But what if GitHub required all contributors to use their real name and strongly verified their identity?

That is meaningless when GitHub is used just as a mirror and real commits happen elsewhere.
You would need to require that in every repository for everyone contributing.

Something having PGP/X.509 signature for every committer and commit would be part of the solution, but in case someone decides to turn to the dark side you still need to review every change.

And key here is that these changes were not sufficiently reviewed since we don't know if the account was compromised or not.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds