Verify the identity of developers
Verify the identity of developers
Posted Apr 7, 2024 2:35 UTC (Sun) by draco (subscriber, #1792)In reply to: Verify the identity of developers by farnz
Parent article: A backdoor in xz
Perhaps I don't want the reputational damage of having nation state attacks on my project, so I insist on knowing that the patches I accept are from real, identifiable people from countries I trust
Maybe nobody contributes to my project, maybe I'm ok with that, maybe some people feel better about my project because of that policy
Maybe people who don't like that choose to fork it, that's their right, but then they accept the consequences
Or maybe they do the same thing, but with different trust decisions about who's ok 😂🤷
A variant of this has happened before: DJB is very opinionated about what goes into his software
Is this a good approach? The proof won't be in any arguments about it, but in what actually happens
Posted Apr 7, 2024 11:17 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
But what if you yourself are a nation state attacker? How do I know when I look at something and consider using it that you're trustworthy? How do I as a potential user get you to jump through my hoops that confirm that you are a real, identifiable person from a country I trust?
And remember that for a lot of contributions, I can see that they're safe by review; why would I demand anything from a contributor when it's obvious to me that the change is good as-is? For code where I can't completely review it, I need some degree of trust, but where I can review in full, why would I put you through a barrage of trust checks just to go 'yep, I can see that changing "correct. the system" to "correct. The system" is a good change to make'?
Verify the identity of developers