I love that Debian discovered both the failure of crowdsourcing a web of trust via keysigning parties (someone used ID in their name but issued by a fake country) and the failure of assuming upstream is trustworthy (an upstream buried code that wouldn't trigger on the Debian maintainer's system but would everywhere else) back in the 2000s but the free software ecosystem is still trying to come up with social solutions to a technical problem
English police assumed false identities and infiltrated activist groups and even had children with members of those groups with the backing of the state, what kind of "real name" policy would have prevented that? There's a degree to which reputation associated with an online identity is important but there's no evidence that trying to tie that to any kind of government issued ID improves anything - and there's no inherent reason to believe that an established identity is trustworthy
There really is no simple answer to the xz case. We can reduce dependencies, we can strengthen sandboxing, we can make it harder for dependencies to inject code. But fundamentally we still depend on the idea that our dependencies are trustworthy and the only real way to guarantee that is to have strict examination of every single line of code
@falken I mean basically?
@falken @mjg59 billion dollar corporations that depend on it can step up if they want a trustworthy supply chain.