|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Apr 1, 2024 13:28 UTC (Mon) by farnz (subscriber, #17727)
In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz

The USA has a track record of attacking its allies via secret programs (as does every other Western democracy I've looked into - the USA is not unique here). There's thus a constant tug-of-war going on; do I trust the USA because they'd prefer me to do well rather than their enemies, or do I distrust them because they would prefer to attack me in order to benefit the USA and American companies at my expense?

Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, since whatever leverage the nation-state can apply to them can also be applied to you. And that, fundamentally, comes down to a personal trust matter; can you trust the people you depend upon, or not? Can you "trust, but verify"? Or are you stuck with an untrustworthy partner whose behaviour cannot be verified?

to post comments

Verify the identity of developers

Posted Apr 2, 2024 15:24 UTC (Tue) by MarcB (subscriber, #101804) [Link] (3 responses)

> Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, ...

And even that is a best-case scenario. Many countries do not have strong civil rights and their secret services target their own citizens.

Verify the identity of developers

Posted Apr 2, 2024 16:08 UTC (Tue) by farnz (subscriber, #17727) [Link]

My expectation is that the secret services etc are as much a risk to you as they are to someone you deem "trusted". Basically, by trusting people in the same immigration situation as you and in the same country as you, you're trusting people inside the same "national security" boundary as you; the moment you go outside that, you're at risk of your colleague being targeted by a national security agency that cannot reach you, even if they are an upstanding person themselves.

So, while Canada is basically a safe country, as someone based in England, I'm in a separate "national security" boundary to a Canadian; it is at least theoretically possible that a Canadian agency can't get to me, but can compromise a Canadian contact, and it's also possible for a UK agency to compromise me, while being unable to compromise my Canadian contact.

This analysis still applies even if the two countries are evildoers; my local set of evil government agencies affect me and anyone else in the same country, and your local set affect you and anyone else in the same country. If we're in different countries, and you need only affect one of us, then the set of agencies to care about is the union of the sets we're affected by.

Verify the identity of developers

Posted Apr 3, 2024 17:39 UTC (Wed) by jafd (subscriber, #129642) [Link] (1 responses)

Also, moles exist.

Verify the identity of developers

Posted Apr 4, 2024 19:01 UTC (Thu) by epa (subscriber, #39769) [Link]

Running a mole is about a million times more expensive than creating a GitHub account under a completely made-up identity. That’s the idea.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds