Verify the identity of developers

Posted Apr 6, 2024 18:14 UTC (Sat) by smurf (subscriber, #17840)
In reply to: Verify the identity of developers by atnot
Parent article: A backdoor in xz

Surprise: I know that.

> You can say how it would work if this was a company again and again.

I don't recall saying anything more than once.

Also I didn't say that "this", whatever it is, should work like a company. Or that I'm advocating for doing things that way.

All I'm saying is that compared to the security (both real and theater) you're subjected to when working on "this" in a corporate context, requesting something that links your online identity with what most people consider to be the Real World isn't *that* much of a burden.

Given this attack, the idea of finding some middle ground between "you're a $NATION black hat? sure, no prob, here are the keys" and the (IMHO somewhat excessive) hoops the corporate world requires you to jump through when you want to do the exact same thing for $$$ isn't *that* far out.

So we get to talk about it.

There's a material difference between discussing ways to ID people working on critical code and concluding that it's not practical and finding some other way to reach the same goal (clean up our tooling, pay somebody to do code reviews, whatever) and declaring a priori that the topic is not up for discussion because "that's just not how things work".

Verify the identity of developers

Posted Apr 6, 2024 18:26 UTC (Sat) by mjg59 (subscriber, #23239) [Link] (1 responses)

Linking "online identity" to "real world identity" is a great way to dissuade a significant number of people from participating in free software, and at this point we have no evidence whatsoever it would have done anything to help in the case in question.

Verify the identity of developers

Posted Apr 6, 2024 19:06 UTC (Sat) by Wol (subscriber, #4433) [Link]

And what smurf is conveniently forgetting is that my pet project may or may not be critical to me. If it's critical to someone else - NOT MY PROBLEM!

"We get to talk about it". And the FIRST thing I'm going to talk about is £££. At which point if you don't want to pay - or I don't want the money! - we're at an impasse.

At the end of the day, there has to be a MUTUAL EXCHANGE OF VALUE. And smurf is assuming he has something of value to offer - BAD ASSUMPTION! I don't know about other people, but as far as I'm concerned, if it involves dealing with the US Authorities, my price is likely to be "Up Yours!!!"

"So we get to talk about it." "Feel free to fork it. I don't care".

Cheers,
Wol