|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Apr 5, 2024 12:55 UTC (Fri) by atnot (subscriber, #124910)
In reply to: Verify the identity of developers by pizza
Parent article: A backdoor in xz

This entire discussion is just moot in the first place, because if some project requires me to scan my passport to contribute, I will simply not contribute to that project. And experience show few people will. *Especially* if that means you take on some sort of legal liability for your contributions, which just, hell no.

Look at CLAs, most people already can't be bothered to e-sign some document in docusign or whatever.

And it's the wrong direction to discuss this anyway. Sure, verifying passports would be a way to verify that people contributing to *your* project are people recognized by some sort of UN government (lots of people aren't, but let's put that aside). But if, say, sqlite, gcc, freebsd, linux or whatever organizations your systems depend on isn't going to enforce your draconian policy, what are you going to do? Or if they do, and a fork develops that just lets people contribute without any riffraff? Are you going to not package their software and everything that depends on it? Rewrite the whole thing from scratch? You can't trust any of their commits after all. Put the stuff without passport checks in a seperate repository, which everyone just enables blindly because that's what you actually need to do to get real work done, just like people already do with rpmfusion and universe and flatpak and pypi and everything else?

It's just a completely unrealistic model of free software development that assumes a "supply chain" and an avenue for contractual obligations that just does not exist, cannot exist and is deeply undesired by all of the people this industry runs on, those who publish their code online because it brings them joy.

to post comments

Verify the identity of developers

Posted Apr 5, 2024 13:43 UTC (Fri) by farnz (subscriber, #17727) [Link]

… assumes a "supply chain" and an avenue for contractual obligations that just does not exist, cannot exist and is deeply undesired by all of the people this industry runs on, those who publish their code online because it brings them joy.

This is the key point; if you're going to "solve" this problem, you need to start at the producer end, since the consumers of Free Software have no leverage over the producers in general (you may have leverage in specific cases - say if you employ a producer of Free Software and can threaten their livelihood - but not over the full sum of Free Software).

If you can't come up with a good reason why you'd jump through the hoops you're putting in place to fix a typo in a message the program displays (say changing "the" to "The" because of context), then your hoops are not going to work in general, since there will be plenty of producers of best-in-class Free Software who refuse to jump through your hoops.

Verify the identity of developers

Posted Apr 6, 2024 13:14 UTC (Sat) by smurf (subscriber, #17840) [Link] (7 responses)

> Look at CLAs, most people already can't be bothered to e-sign some document in docusign or whatever.

The problem with CLAs isn't that I can't be bothered.

The problem is that assigning my copyright, or the rights thereof (you can't "assign copyright" in some jurisdictions; you created it, you have the copyright, period end of discussion, presuming you didn't do it for an employer) is a very bad idea because it allows the transferee to re-license the work under any proprietary legalese they damn well please. Numerous examples can readily be found in the archives, of LWN and elsewhere.

Showing my passport / ID document to somebody doesn't take away any of my rights.

XZ and of course a whole freakin' lot of other software is the equivalent of critical infrastructure. In most countries, if I want to hire you to work on anything critical, you showing me some official ID document is just the first step in a rather long list of intrusive government snoopage, depending on quite how critical the piece you'd then be able to subvert is; including but *way* not limited to checking that you don't have relatives in $BAD_COUNTRY whose health would be a convenient handle their government might blackmail you with.

You don't want that? fine, go work somewhere else.

Verify the identity of developers

Posted Apr 6, 2024 16:42 UTC (Sat) by atnot (subscriber, #124910) [Link] (3 responses)

Okay, I'll work on something else. And then it will become useful, and lots of people will want to
install it on your distro. And then it ends up becoming critical. What are you gonna do then?

You can say how it would work if this was a company again and again. But this isn't a company. It very explicity and deliberately does not work like a company.
You can't just handwave some sort of contractual customer relationship between someone uploading code on the internet and other people chosing to use it in critical ways of their own accord, that's just not how things work.

Verify the identity of developers

Posted Apr 6, 2024 18:14 UTC (Sat) by smurf (subscriber, #17840) [Link] (2 responses)

Surprise: I know that.

> You can say how it would work if this was a company again and again.

I don't recall saying anything more than once.

Also I didn't say that "this", whatever it is, should work like a company. Or that I'm advocating for doing things that way.

All I'm saying is that compared to the security (both real and theater) you're subjected to when working on "this" in a corporate context, requesting something that links your online identity with what most people consider to be the Real World isn't *that* much of a burden.

Given this attack, the idea of finding some middle ground between "you're a $NATION black hat? sure, no prob, here are the keys" and the (IMHO somewhat excessive) hoops the corporate world requires you to jump through when you want to do the exact same thing for $$$ isn't *that* far out.

So we get to talk about it.

There's a material difference between discussing ways to ID people working on critical code and concluding that it's not practical and finding some other way to reach the same goal (clean up our tooling, pay somebody to do code reviews, whatever) and declaring a priori that the topic is not up for discussion because "that's just not how things work".

Verify the identity of developers

Posted Apr 6, 2024 18:26 UTC (Sat) by mjg59 (subscriber, #23239) [Link] (1 responses)

Linking "online identity" to "real world identity" is a great way to dissuade a significant number of people from participating in free software, and at this point we have no evidence whatsoever it would have done anything to help in the case in question.

Verify the identity of developers

Posted Apr 6, 2024 19:06 UTC (Sat) by Wol (subscriber, #4433) [Link]

And what smurf is conveniently forgetting is that my pet project may or may not be critical to me. If it's critical to someone else - NOT MY PROBLEM!

"We get to talk about it". And the FIRST thing I'm going to talk about is £££. At which point if you don't want to pay - or I don't want the money! - we're at an impasse.

At the end of the day, there has to be a MUTUAL EXCHANGE OF VALUE. And smurf is assuming he has something of value to offer - BAD ASSUMPTION! I don't know about other people, but as far as I'm concerned, if it involves dealing with the US Authorities, my price is likely to be "Up Yours!!!"

"So we get to talk about it." "Feel free to fork it. I don't care".

Cheers,
Wol

Verify the identity of developers

Posted Apr 6, 2024 16:53 UTC (Sat) by farnz (subscriber, #17727) [Link] (2 responses)

When xz started, and indeed when most of the open source that's now "critical infrastructure" started, it was just a hobby project, and not critical. It became critical because it was useful and became used; but that's on the users, not the developers.

Or are you saying that I'm allowed to demand that you go through a very long list of government snoopage because I've used your comment in something critical, and you now owe me big time for my decision to make use of your work?

Verify the identity of developers

Posted Apr 7, 2024 2:35 UTC (Sun) by draco (subscriber, #1792) [Link] (1 responses)

No, I think it's the other way around

Perhaps I don't want the reputational damage of having nation state attacks on my project, so I insist on knowing that the patches I accept are from real, identifiable people from countries I trust

Maybe nobody contributes to my project, maybe I'm ok with that, maybe some people feel better about my project because of that policy

Maybe people who don't like that choose to fork it, that's their right, but then they accept the consequences

Or maybe they do the same thing, but with different trust decisions about who's ok 😂🤷

A variant of this has happened before: DJB is very opinionated about what goes into his software

Is this a good approach? The proof won't be in any arguments about it, but in what actually happens

Verify the identity of developers

Posted Apr 7, 2024 11:17 UTC (Sun) by farnz (subscriber, #17727) [Link]

But what if you yourself are a nation state attacker? How do I know when I look at something and consider using it that you're trustworthy? How do I as a potential user get you to jump through my hoops that confirm that you are a real, identifiable person from a country I trust?

And remember that for a lot of contributions, I can see that they're safe by review; why would I demand anything from a contributor when it's obvious to me that the change is good as-is? For code where I can't completely review it, I need some degree of trust, but where I can review in full, why would I put you through a barrage of trust checks just to go 'yep, I can see that changing "correct. the system" to "correct. The system" is a good change to make'?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds