Verify the identity of developers

Posted Apr 6, 2024 13:14 UTC (Sat) by smurf (subscriber, #17840)
In reply to: Verify the identity of developers by atnot
Parent article: A backdoor in xz

> Look at CLAs, most people already can't be bothered to e-sign some document in docusign or whatever.

The problem with CLAs isn't that I can't be bothered.

The problem is that assigning my copyright, or the rights thereof (you can't "assign copyright" in some jurisdictions; you created it, you have the copyright, period end of discussion, presuming you didn't do it for an employer) is a very bad idea because it allows the transferee to re-license the work under any proprietary legalese they damn well please. Numerous examples can readily be found in the archives, of LWN and elsewhere.

Showing my passport / ID document to somebody doesn't take away any of my rights.

XZ and of course a whole freakin' lot of other software is the equivalent of critical infrastructure. In most countries, if I want to hire you to work on anything critical, you showing me some official ID document is just the first step in a rather long list of intrusive government snoopage, depending on quite how critical the piece you'd then be able to subvert is; including but *way* not limited to checking that you don't have relatives in $BAD_COUNTRY whose health would be a convenient handle their government might blackmail you with.

You don't want that? fine, go work somewhere else.

Verify the identity of developers

Posted Apr 6, 2024 16:42 UTC (Sat) by atnot (subscriber, #124910) [Link] (3 responses)

Okay, I'll work on something else. And then it will become useful, and lots of people will want to
install it on your distro. And then it ends up becoming critical. What are you gonna do then?

You can say how it would work if this was a company again and again. But this isn't a company. It very explicity and deliberately does not work like a company.
You can't just handwave some sort of contractual customer relationship between someone uploading code on the internet and other people chosing to use it in critical ways of their own accord, that's just not how things work.

Verify the identity of developers

Posted Apr 6, 2024 18:14 UTC (Sat) by smurf (subscriber, #17840) [Link] (2 responses)

Surprise: I know that.

> You can say how it would work if this was a company again and again.

I don't recall saying anything more than once.

Also I didn't say that "this", whatever it is, should work like a company. Or that I'm advocating for doing things that way.

All I'm saying is that compared to the security (both real and theater) you're subjected to when working on "this" in a corporate context, requesting something that links your online identity with what most people consider to be the Real World isn't *that* much of a burden.

Given this attack, the idea of finding some middle ground between "you're a $NATION black hat? sure, no prob, here are the keys" and the (IMHO somewhat excessive) hoops the corporate world requires you to jump through when you want to do the exact same thing for $$$ isn't *that* far out.

So we get to talk about it.

There's a material difference between discussing ways to ID people working on critical code and concluding that it's not practical and finding some other way to reach the same goal (clean up our tooling, pay somebody to do code reviews, whatever) and declaring a priori that the topic is not up for discussion because "that's just not how things work".

Verify the identity of developers

Posted Apr 6, 2024 18:26 UTC (Sat) by mjg59 (subscriber, #23239) [Link] (1 responses)

Linking "online identity" to "real world identity" is a great way to dissuade a significant number of people from participating in free software, and at this point we have no evidence whatsoever it would have done anything to help in the case in question.

Verify the identity of developers

Posted Apr 6, 2024 19:06 UTC (Sat) by Wol (subscriber, #4433) [Link]

And what smurf is conveniently forgetting is that my pet project may or may not be critical to me. If it's critical to someone else - NOT MY PROBLEM!

"We get to talk about it". And the FIRST thing I'm going to talk about is £££. At which point if you don't want to pay - or I don't want the money! - we're at an impasse.

At the end of the day, there has to be a MUTUAL EXCHANGE OF VALUE. And smurf is assuming he has something of value to offer - BAD ASSUMPTION! I don't know about other people, but as far as I'm concerned, if it involves dealing with the US Authorities, my price is likely to be "Up Yours!!!"

"So we get to talk about it." "Feel free to fork it. I don't care".

Cheers,
Wol

Verify the identity of developers

Posted Apr 6, 2024 16:53 UTC (Sat) by farnz (subscriber, #17727) [Link] (2 responses)

When xz started, and indeed when most of the open source that's now "critical infrastructure" started, it was just a hobby project, and not critical. It became critical because it was useful and became used; but that's on the users, not the developers.

Or are you saying that I'm allowed to demand that you go through a very long list of government snoopage because I've used your comment in something critical, and you now owe me big time for my decision to make use of your work?

Verify the identity of developers

Posted Apr 7, 2024 2:35 UTC (Sun) by draco (subscriber, #1792) [Link] (1 responses)

No, I think it's the other way around

Perhaps I don't want the reputational damage of having nation state attacks on my project, so I insist on knowing that the patches I accept are from real, identifiable people from countries I trust

Maybe nobody contributes to my project, maybe I'm ok with that, maybe some people feel better about my project because of that policy

Maybe people who don't like that choose to fork it, that's their right, but then they accept the consequences

Or maybe they do the same thing, but with different trust decisions about who's ok 😂🤷

A variant of this has happened before: DJB is very opinionated about what goes into his software

Is this a good approach? The proof won't be in any arguments about it, but in what actually happens

Verify the identity of developers

Posted Apr 7, 2024 11:17 UTC (Sun) by farnz (subscriber, #17727) [Link]

But what if you yourself are a nation state attacker? How do I know when I look at something and consider using it that you're trustworthy? How do I as a potential user get you to jump through my hoops that confirm that you are a real, identifiable person from a country I trust?

And remember that for a lot of contributions, I can see that they're safe by review; why would I demand anything from a contributor when it's obvious to me that the change is good as-is? For code where I can't completely review it, I need some degree of trust, but where I can review in full, why would I put you through a barrage of trust checks just to go 'yep, I can see that changing "correct. the system" to "correct. The system" is a good change to make'?