Verify the identity of developers
Verify the identity of developers
Posted Apr 1, 2024 7:08 UTC (Mon) by himi (subscriber, #340)In reply to: Verify the identity of developers by mjg59
Parent article: A backdoor in xz
Yes, nation state attackers have the capacity to forge ID that will pass any viable checks (non-government or government) - history has given us many examples. But, when those nation states have been caught out doing so it has the potential to result in the kind of negative impacts that nation states actually take seriously - diplomatic incidents, visa refusals or revocations, even changes to policies on visa applications. Sure, true rogue states probably don't care that much about that kind of thing, but anyone that doesn't want to be /considered/ a rogue state by most of the world will care.
Not that I think this is a good argument for requiring real-world ID to be able to make legitimate contributions to free software projects, but it's definitely worth remembering that when real-world ID gets involved the consequences for a lot of things, both good /and/ bad, escalate rather quickly.
Posted Apr 1, 2024 7:22 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (47 responses)
Posted Apr 3, 2024 8:04 UTC (Wed)
by epa (subscriber, #39769)
[Link] (46 responses)
(Unless of course the Mossad operatives took on the identity of real Canadians and looked like them too, so they could in principle have stolen those people’s real passports and used them to travel. I am have been assuming they created entirely fake identities.)
How does this relate to checking the identity of programmers? Well, a requirement of “please take a photo of your passport” wouldn’t cut it. But if governments provide a way to validate the passport data (or for an individual to generate a code which can be checked on a govt website, as already happens in some countries) then we do make it harder to create fake identities. A step further would be for an individual to have their public key signed by a government agency. You could at least check the person’s real name and nationality. That’s a lot better than “Jia Tan”.
Posted Apr 3, 2024 12:53 UTC (Wed)
by smurf (subscriber, #17840)
[Link]
Not that difficult to do given reasonably useable infrastructure. In Germany you don't even need direct support from the government to do it (other than having a RFID chip in your document in the first place of course): there's an online service from Governikus that transmogrifies the electronic data in your ID card to a GPG signature. See e.g. mine at 72CF8E5E25B4C293, signed by 5E5CCCB4A4BF43D7.
Posted Apr 4, 2024 14:17 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (44 responses)
Maybe not in the US though?
But that doesn't really help though, because all it proves is that someone has access to a passport. That doesn't tell you if they're trustworthy or not. And since you're not going to be scanning someone elses passport in the end you're going to be trusting who ever did that the person was actually there, so you've just moved the problem around.
In the end you can never be 100% sure someone is trustworthy. No technical solution can do that. But perhaps we can make a machine learning system that can monitor commits for dodgy stuff to make it feasible for humans to focus on the risky patches.
Posted Apr 4, 2024 18:59 UTC (Thu)
by epa (subscriber, #39769)
[Link]
None of this is completely watertight. But right now it’s kind of embarrassing how easy it is to create a fake identity and use it to contribute or even become maintainer of a project.
Posted Apr 4, 2024 19:33 UTC (Thu)
by draco (subscriber, #1792)
[Link] (42 responses)
It's not about whether they can be trusted, but about whether they can be held accountable if they do something bad.
By comparison, as we've seen, an email, public key, and purported name are nearly useless for these purposes.
(It hopefully goes without saying that these all need to be tied together to one person to be useful, but it was apparently not obvious why a passport helps, so I figured I'd be upfront with that detail.)
Posted Apr 4, 2024 19:37 UTC (Thu)
by mss (subscriber, #138799)
[Link]
Posted Apr 4, 2024 19:43 UTC (Thu)
by pizza (subscriber, #46)
[Link] (39 responses)
Then there's the little problem that most people don't have passports.
So you'd need to handle (and have a way of validating) nearly 200 (non-standarized) national identity documents. Then there are countries like the US that don't have a single (domestic-focused) nation-wide ID [1].
[1] eg the USA, with 50 states, plenty of non-state territories (eg DC and Puerto Rico) and various native tribal IDs, plus military and other federally-issued IDs, and so forth...)
Posted Apr 5, 2024 9:46 UTC (Fri)
by smurf (subscriber, #17840)
[Link] (38 responses)
That's likely true if you talk about the world's population as an aggregate.
The actual rate varies rather wildly between countries, and their subpopulation (I'd assume that IT affine people are somewhat more likely to have one than not, for instance).
Posted Apr 5, 2024 12:20 UTC (Fri)
by pizza (subscriber, #46)
[Link] (37 responses)
You're probably right, but I'd still be surprised if a majority "IT people" in the US have a passport.
(And EU citizens don't need a passport to travel within the EU either)
Posted Apr 5, 2024 12:55 UTC (Fri)
by atnot (subscriber, #124910)
[Link] (9 responses)
Look at CLAs, most people already can't be bothered to e-sign some document in docusign or whatever.
And it's the wrong direction to discuss this anyway. Sure, verifying passports would be a way to verify that people contributing to *your* project are people recognized by some sort of UN government (lots of people aren't, but let's put that aside). But if, say, sqlite, gcc, freebsd, linux or whatever organizations your systems depend on isn't going to enforce your draconian policy, what are you going to do? Or if they do, and a fork develops that just lets people contribute without any riffraff? Are you going to not package their software and everything that depends on it? Rewrite the whole thing from scratch? You can't trust any of their commits after all. Put the stuff without passport checks in a seperate repository, which everyone just enables blindly because that's what you actually need to do to get real work done, just like people already do with rpmfusion and universe and flatpak and pypi and everything else?
It's just a completely unrealistic model of free software development that assumes a "supply chain" and an avenue for contractual obligations that just does not exist, cannot exist and is deeply undesired by all of the people this industry runs on, those who publish their code online because it brings them joy.
Posted Apr 5, 2024 13:43 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
This is the key point; if you're going to "solve" this problem, you need to start at the producer end, since the consumers of Free Software have no leverage over the producers in general (you may have leverage in specific cases - say if you employ a producer of Free Software and can threaten their livelihood - but not over the full sum of Free Software).
If you can't come up with a good reason why you'd jump through the hoops you're putting in place to fix a typo in a message the program displays (say changing "the" to "The" because of context), then your hoops are not going to work in general, since there will be plenty of producers of best-in-class Free Software who refuse to jump through your hoops.
Posted Apr 6, 2024 13:14 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (7 responses)
The problem with CLAs isn't that I can't be bothered.
The problem is that assigning my copyright, or the rights thereof (you can't "assign copyright" in some jurisdictions; you created it, you have the copyright, period end of discussion, presuming you didn't do it for an employer) is a very bad idea because it allows the transferee to re-license the work under any proprietary legalese they damn well please. Numerous examples can readily be found in the archives, of LWN and elsewhere.
Showing my passport / ID document to somebody doesn't take away any of my rights.
XZ and of course a whole freakin' lot of other software is the equivalent of critical infrastructure. In most countries, if I want to hire you to work on anything critical, you showing me some official ID document is just the first step in a rather long list of intrusive government snoopage, depending on quite how critical the piece you'd then be able to subvert is; including but *way* not limited to checking that you don't have relatives in $BAD_COUNTRY whose health would be a convenient handle their government might blackmail you with.
You don't want that? fine, go work somewhere else.
Posted Apr 6, 2024 16:42 UTC (Sat)
by atnot (subscriber, #124910)
[Link] (3 responses)
You can say how it would work if this was a company again and again. But this isn't a company. It very explicity and deliberately does not work like a company.
Posted Apr 6, 2024 18:14 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (2 responses)
> You can say how it would work if this was a company again and again.
I don't recall saying anything more than once.
Also I didn't say that "this", whatever it is, should work like a company. Or that I'm advocating for doing things that way.
All I'm saying is that compared to the security (both real and theater) you're subjected to when working on "this" in a corporate context, requesting something that links your online identity with what most people consider to be the Real World isn't *that* much of a burden.
Given this attack, the idea of finding some middle ground between "you're a $NATION black hat? sure, no prob, here are the keys" and the (IMHO somewhat excessive) hoops the corporate world requires you to jump through when you want to do the exact same thing for $$$ isn't *that* far out.
So we get to talk about it.
There's a material difference between discussing ways to ID people working on critical code and concluding that it's not practical and finding some other way to reach the same goal (clean up our tooling, pay somebody to do code reviews, whatever) and declaring a priori that the topic is not up for discussion because "that's just not how things work".
Posted Apr 6, 2024 18:26 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted Apr 6, 2024 19:06 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
"We get to talk about it". And the FIRST thing I'm going to talk about is £££. At which point if you don't want to pay - or I don't want the money! - we're at an impasse.
At the end of the day, there has to be a MUTUAL EXCHANGE OF VALUE. And smurf is assuming he has something of value to offer - BAD ASSUMPTION! I don't know about other people, but as far as I'm concerned, if it involves dealing with the US Authorities, my price is likely to be "Up Yours!!!"
"So we get to talk about it." "Feel free to fork it. I don't care".
Cheers,
Posted Apr 6, 2024 16:53 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (2 responses)
When xz started, and indeed when most of the open source that's now "critical infrastructure" started, it was just a hobby project, and not critical. It became critical because it was useful and became used; but that's on the users, not the developers.
Or are you saying that I'm allowed to demand that you go through a very long list of government snoopage because I've used your comment in something critical, and you now owe me big time for my decision to make use of your work?
Posted Apr 7, 2024 2:35 UTC (Sun)
by draco (subscriber, #1792)
[Link] (1 responses)
Perhaps I don't want the reputational damage of having nation state attacks on my project, so I insist on knowing that the patches I accept are from real, identifiable people from countries I trust
Maybe nobody contributes to my project, maybe I'm ok with that, maybe some people feel better about my project because of that policy
Maybe people who don't like that choose to fork it, that's their right, but then they accept the consequences
Or maybe they do the same thing, but with different trust decisions about who's ok 😂🤷
A variant of this has happened before: DJB is very opinionated about what goes into his software
Is this a good approach? The proof won't be in any arguments about it, but in what actually happens
Posted Apr 7, 2024 11:17 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
But what if you yourself are a nation state attacker? How do I know when I look at something and consider using it that you're trustworthy? How do I as a potential user get you to jump through my hoops that confirm that you are a real, identifiable person from a country I trust?
And remember that for a lot of contributions, I can see that they're safe by review; why would I demand anything from a contributor when it's obvious to me that the change is good as-is? For code where I can't completely review it, I need some degree of trust, but where I can review in full, why would I put you through a barrage of trust checks just to go 'yep, I can see that changing "correct. the system" to "correct. The system" is a good change to make'?
Posted Apr 5, 2024 12:55 UTC (Fri)
by paulj (subscriber, #341)
[Link] (26 responses)
Citizens (and possibly also residents) do not need ID to travel within the Schengen Area. Now, the Schengen Area includes nearly all EU members, but not all. Notably, the 2 island member states are not in Schengen, Ireland and Malta - Ireland can not join Schengen because the UK has never wanted to join, and Ireland has always had an open border with the UK, and will have for the foreseeable future. Malta, not sure why, but perhaps that's also to do with UK relations - however it will be joining at some point soon. Additionally, the EFTA states, and a couple of others, are also in Schengen - but not in EU.
Posted Apr 5, 2024 12:59 UTC (Fri)
by paulj (subscriber, #341)
[Link]
Cause of the Brits.
Posted Apr 5, 2024 14:36 UTC (Fri)
by jem (subscriber, #24231)
[Link] (24 responses)
This is a common misconception. EU citizens are required to carry a government issued ID card or passport if they are traveling abroad, even if the travel is limited within the Schengen area. However, the ID is normally not checked at the border between two Schengen countries, but checks can be reinstated if circumstances require it.
In some countries within the Schengen area (*cough* Germany) citizens are required to be in possession of an ID card (or passport) even within their own country.
Posted Apr 5, 2024 14:56 UTC (Fri)
by rschroev (subscriber, #4164)
[Link]
Same in Belgium. In practice in everyday life in most situations this is not enforced, but police enforcement can ask for your ID (I think they have to state why they do) when they feel you're causing trouble.
Posted Apr 5, 2024 18:36 UTC (Fri)
by pizza (subscriber, #46)
[Link] (21 responses)
What makes passports semi-feasible for "identity verification" is that there is a true international standard for machine readability (and decoding) of their information. But passports are not a given, meaning you'd realistically need to accept various [sub-]national ID cards in all their infinite diversity, with potentially a separate reading/decoding/verification mechanism required for each issuing agency.
Posted Apr 6, 2024 21:31 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (20 responses)
As digital visas become more common there will be more countries that will accept ID cards in lieu of passports.
It's possible to use all this infrastructure in positive ways. For example, it would allow Github to have proof you are over 18 and a resident of country X, without revealing any other information about you (zero-knowledge proofs). We're not there yet.
Of course the next step is to ditch the physical card altogether and have it all in your phone instead. Of course that gets trickier, because a passport/ID card provides offline unrecorded proof of validity, but it's not clear if a pure digital app based identity can work offline.
Posted Apr 6, 2024 22:05 UTC (Sat)
by pizza (subscriber, #46)
[Link] (19 responses)
...Well, that's great for Europeans, but what about the rest of the world?
(again, that's my point -- Passports have an international standard for machine readability and interoperability, but there are more standards for domestic identification than there are countries! I have a US passport, a second Federal-issued ID, and a state-issued ID. They are all machine-readable, but via different mechanisms, and the encoded information also differs. The passport establishes citizenship. The state ID establishes residency and permission to operate a motor vehicle on public roads)
Posted Apr 7, 2024 15:53 UTC (Sun)
by kleptog (subscriber, #1183)
[Link] (18 responses)
Ok, but this is a fabricated problem. The states of the US could surely get together and adopt a single standard to cover everything. Clearly it's not a big enough problem.
If your point is that requiring digital identification online for open-source projects would unfairly exclude much of the world, I agree with you. That's not something we can reasonably require at this point (perhaps ever).
Posted Apr 7, 2024 17:00 UTC (Sun)
by pizza (subscriber, #46)
[Link] (17 responses)
There is a federal standard for state ID cards now (imposed by the "REAL ID Act" but twenty years later it's still not fully deployed, and IIRC that _still_ doesn't provide a standard mechanism for machine readability or verification.
It's "not a big enough problem" because these ID cards are only used physically, in person, using the mk-I eyeball to make sure the photo vaguely looks like the person holding it.
> If your point is that requiring digital identification online for open-source projects would unfairly exclude much of the world, I agree with you. That's not something we can reasonably require at this point (perhaps ever).
Yes, except it's not "much of the world" so much as "everyone that doesn't live in a jurisdiction that provides state-issued digital identification along with a low/zero-cost mechanism for arbitrary third parties (including those outside your jurisdiction) to validate said credentials." IIUC hardly anywhere qualifies in that respect.
Posted Apr 7, 2024 17:46 UTC (Sun)
by pizza (subscriber, #46)
[Link]
Whoops, I stand corrected. It wasn't part of the original law, but instead as regulations issued by the DHS after the fact. So, currently REAL-ID compliant cards must have a PDF417 2D bar code containing a minimum of 10 data elements [1]. Notably missing is a digital signature that one can use to _validate_ the data without some sort of query to the issuing authority, so absent that query, these ID cards are only useful for in-person stuff since you can photoshop anything you want onto the front (photo, text) and back (barcode) and nobody would be any the wiser.
(Nearly all of the REAL-ID provisions have to do with physical/anti-tamper security (eg watermarks, holograms) and a consistent minimum standard for documentation needed to issue said ID, and the information that needs to be shown..)
(Meanwhile, various federal agencies (including the military) have their own ID standards that use different machine readable mechanisms and encoded data..)
[1] legal name, gender, DOB, address of residence, etc. See https://www.law.cornell.edu/cfr/text/6/37.19
Posted Apr 7, 2024 20:51 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (15 responses)
In the UK, it certainly isn't mandatory. The ONLY piece of ID that all British Nationals can be reasonably assumed to possess is a birth certificate. That's assuming their parents registered the birth. Anything beyond that is OPTIONAL, although living without it can be hard. If you haven't had to renew your driving licence for one reason or another, the old green paper version is still valid. There probably aren't that many left, though. My passport is not a proper biometric one (it's also no longer valid), but if anybody wants a passport for ID I would quite happily present it and say "if that's not good enough, it's the best I've got".
More and more, if people demand things off of me (mobile phone number especially), I just walk away ...
Cheers,
Posted Apr 8, 2024 21:31 UTC (Mon)
by kleptog (subscriber, #1183)
[Link] (14 responses)
I hope it is for you too. The UK has a weird view on IDs. On the one hand they recognise the benefits, on the other hand whenever it's proposed they always talk about being required to carry them at all times. Which is basically insane and a way to sink the topic before it gets anywhere.
A national ID is physical proof you are allowed to be there and have certain rights. So if some government database has a glitch and suddenly decides you're an illegal immigrant (e.g. Windrush, EUSS, the current PCDP scandal at the Home Office) you have physical proof that the database is *wrong*. Good for preventing you getting deported. That such a card is useful in other contexts is bonus.
From a pure practical point, my bank can assert my nationality just as well as the government can. You don't necessarily need passports/ID cards for that.
Posted Apr 9, 2024 9:02 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (13 responses)
One of the issues in the UK with national ID cards is that whenever the idea comes up, the intent is to fund the cards via other uses of the data contained therein. Being required to carry them at all times is just a consequence of the idea that national ID cards need to turn a profit for the government.
Posted Apr 9, 2024 9:53 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (12 responses)
Has anybody else noticed that - of the four nations - England is the only one without its own National Anthem?
Driven home when watching the Calcutta Cup - the Scots sing "Flower of Scotland", but the English sing "God Save the (Scottish) King" !!!
It's the same problem the Canadians and Mexicans have with North America / USA, and the English seem completely oblivious to it ...
Cheers,
Posted Apr 9, 2024 15:06 UTC (Tue)
by rschroev (subscriber, #4164)
[Link] (6 responses)
Posted Apr 10, 2024 10:01 UTC (Wed)
by paulj (subscriber, #341)
[Link] (5 responses)
It started with Ireland, which got a devolved government and dominion status within the UK in 1922 with some powers reserved for Westminster and an "Executive Council" (similarish to the privy council), until 1931 when Ireland became a wholly autonomous dominion, and then to 1937 as "Eire" a self-declared independent state (dominion status ambiguous), and formally as the Republic of Ireland from 1948.
Scotland and Wales got their own devolution in 1999, both more proscribed than the original Irish Free State (which had taken armed insurrection), but each with continued representation via MPs in Westminster. I'm not sure about the differences in power between them. The Scottish parliament seems to me to have more "status" and power than the Welsh one, but that might just be my bias, having lived in Scotland - I don't know much about Welsh devolution and how it compares.
It seems to me Ireland has the healthier status of the 4 "home nations", as they were (ignoring the Troubles, arising from Elizabethan and Jacobean era United Kingdom politics, which due to historical quirks left a longer, stronger imprint in the north of Ireland than the rest of the UK). Ireland continues to have very strong bilateral links to the rest of the Celtic Isles - Irish and British citizens travel and settle freely between them, trade a little less so now thanks to BrExit though, there are bilateral institutions, etc. - while Ireland is ultimately able to decide its own fate.
I don't understand why Scotland, if not Wales, doesn't also seek a similar situation. Would be better for all in the end I think. (I did vote "Yes" in the IndyRef in Scotland. ;) ).
Posted Apr 10, 2024 11:23 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (4 responses)
Being interested in history, I think this goes back to the fact that England and Scotland were two separate nations (let's forget the Flower of Scotland Proud Edward's Army bit) until very recently. Until William's intervention in 1066, the assorted British nations were steadily coalescing of their own accord, take for example the agreement round about 900AD between - iirc - Mercia, Northumbria and Wessex that all three crowns would pass to whichever King survived longest.
Then William arrived and upset the applecart, setting out to unite the British Isles by force. Out of proto-England, Wales held out the longest which forged a separate nationality (quite possibly helped by the fact that the Anglo-Saxon nations fell rather more easily, the Welsh being Celtic so already feeling different). But Wales has always been part of "England" since the mid 1100s (and sort-of took over the English crown with Owain Tudor about 1500).
Scotland has always had a separate identity - again being Gaelic rather than Anglo-Saxon (although the Sassenachs are "Lowland Scots" aka Angles"). Again fuelled by constant conflict with the Normans to the south. And with their own monarchy (which Wales never had?) since pre-William - again going back to 900s and earlier - which left alone would probably have merged with England using a similar mechanism. But it wasn't to be.
So Scotland was either occupied, or completely independent, until the "Union of the Crowns" in 1603. It remained an independent (theoretically) country until about 1750 and the "Act of Union".
So basically, Scotland has more power and independence because Scotland is considered a nation/country. Wales is just a subordinate principality.
(And personally, I think Westminster has far too much power. A lot of it should be devolved to local government. But it's the standard ebb and flow of politics unfortunately - the centre grabs power, messes it up, and the regions grab it back. Rinse and repeat :-(
Cheers,
Posted Apr 10, 2024 12:59 UTC (Wed)
by paulj (subscriber, #341)
[Link] (3 responses)
As an aside, I note your view of the history seems skewed towards the countries /currently/ part of the UK. You can't understand the history of these Celtic Isles without understanding the history of one of the larger chunks of it, and a kingdom of the king of England for longer than Scotland - Ireland. Some of the biggest battles relevant to the history of the kingdom of England (and to the history of Europe, to a certain extent) were fought in... Ireland (by soldiers from many nations).
Just saying, cause a lot of modern British seem to overlook it - just cause Ireland is no longer part of the UK.
Posted Apr 10, 2024 15:04 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (1 responses)
I also know there's an awful lot of history roundabout the time of Cromwell and Cromwell :- ) that's Thomas Cromwell of Henry VIII fame for the first one :-) but I know very little about it, other than it was the age-old Catholic/Protestant mess. (And quite likely earlier, too.)
The other thing that often gets forgotten about medieval history is the "Joan of Arc vs the English" lie. Okay, Joan is a bit later than this, but King John (of Magna Carta fame, 1215) is probably the first true "King of England". Before that, and including his elder brother Richard, the title of Duke of Normandy actually ranked ABOVE the King of England. Richard's troubles in the Crusades basically brought about the downfall of the Norman Empire, and Joan drove the Normans out of Normandy (probably a gross mis-representation of what actually happened, but rather more accurate than folk history!)
Cheers,
Posted Apr 11, 2024 9:12 UTC (Thu)
by paulj (subscriber, #341)
[Link]
Posted Apr 10, 2024 15:19 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
And that's how the treaty between the three kings worked - the ruling councils basically signed up that the only eligible candidates for any vacant monarchy would be the other monarchs. All helped by the fact that the crowns did NOT pass father to son, although the only real candidates were all close relatives of the late King.
Indeed, George II may have been the first King to inherit as of legal right, given the shenanigans in the aftermath of Henry VIII and Edward VI, and the similar shenanigans over James II, William and Mary, and Anne. Indeed, after the death of his wife, William III ruled alone despite not being of (British) Royal Blood at all! Using him as precedent, we should have had King Albert, and King Philip! (Although of course, Philip was of British Royal Blood, as also reputedly is Camilla.)
Cheers,
Posted Apr 9, 2024 15:39 UTC (Tue)
by anselm (subscriber, #2796)
[Link]
So far that's just a patriotic song popular with Scottish sports fans which various Scottish sports bodies have provisionally adopted in the absence of an actual national anthem (which Scotland doesn't have, either).
Having said that, in spite of its obvious problems Flower of Scotland is apparently a strong contender to become the official national anthem once the Scottish parliament gets its act together. As far as the English are concerned, they should be bothered by the fact that they have no national parliament (or for that matter government) much more than by the formal absence of a national anthem.
Posted Apr 10, 2024 9:27 UTC (Wed)
by paulj (subscriber, #341)
[Link] (3 responses)
Posted Apr 11, 2024 9:42 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
(So he's as Scottish as most other people in Scotland :-) which is to say not really at all. Most residents of modern Scotland (a) do not live in the Land of the Scots, and (b) trace their ancestry to either the Picts or the Angles.
(Inasmuch as most people in the British Isles trace their ancestry back to the Anglo-Saxons - genetically we're nearly all Britons, but culturally we're Anglo-Saxon because we adopted the ruling class's language and culture. That's where the word "Welsh" came from - aka "not Anglo Saxon".)
Cheers,
Posted Apr 11, 2024 10:17 UTC (Thu)
by paulj (subscriber, #341)
[Link] (1 responses)
It's a bit of a stretch to call Big Ears "Scottish" because, in between the plethora of German ancestors, you can find one couple who were Scottish and Danish a few hundred years ago. ;)
Posted Apr 11, 2024 11:12 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Apr 5, 2024 19:38 UTC (Fri)
by gioele (subscriber, #61675)
[Link]
Formally, Germany requires you to "possess" an identity document ("verpflichtet, einen gültigen Ausweis zu besitzen" = to have applied for it and to have it somewhere, for example at home) once you are 16. It is not required that you "are in possession" of an identity document (~= to carry with you).
https://www.gesetze-im-internet.de/pauswg/BJNR134610009.h...
Posted Apr 4, 2024 22:47 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
They don't even do that - all my passport actually does is establish that if someone presents it to you as "their" passport, and you don't believe them, you can hand them over to my country of origin, and my country of origin will arrange my return home (if it's me presenting the passport) and bill me for it later, or will arrest the person, bring them to my country of origin, and then prosecute them for using my passport while not being me, with potential for significant jail time over here.
In particular, for the purposes of holding me accountable for actions, my passport is less valuable than my purported name and e-mail address. If those aren't enough, my passport details are not; my country does not issue ID cards as a matter of course, and I therefore have no documentation that establishes my identity for the purposes of accountability.
Better yet, I'm allowed multiple passports as long as I am not using them to defraud the government. The details on my passport don't have to be my "legal" name, since there is no such thing - they just have to be a name that I use in the course of business. I could get a passport in the name "Linus Benedict Torvalds" quite legitimately, as long as I can show the government that I use that name regularly.
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Passports establish identity and jurisdiction (for extradition if necessary) for claims of torts and charges of crimes.
It's not about whether they can be trusted, but about whether they can be held accountable if they do something bad.
That's not very useful for a nation-state-sponsored attack like (most likely) this one.
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
… assumes a "supply chain" and an avenue for contractual obligations that just does not exist, cannot exist and is deeply undesired by all of the people this industry runs on, those who publish their code online because it brings them joy.
Verify the identity of developers
Verify the identity of developers
install it on your distro. And then it ends up becoming critical. What are you gonna do then?
You can't just handwave some sort of contractual customer relationship between someone uploading code on the internet and other people chosing to use it in critical ways of their own accord, that's just not how things work.
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
the Scots sing "Flower of Scotland"
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
Verify the identity of developers
Wol
Verify the identity of developers
https://www.gesetze-im-internet.de/englisch_pauswg/englis...
Verify the identity of developers