I love that Debian discovered both the failure of crowdsourcing a web of trust via keysigning parties (someone used ID in their name but issued by a fake country) and the failure of assuming upstream is trustworthy (an upstream buried code that wouldn't trigger on the Debian maintainer's system but would everywhere else) back in the 2000s but the free software ecosystem is still trying to come up with social solutions to a technical problem

English police assumed false identities and infiltrated activist groups and even had children with members of those groups with the backing of the state, what kind of "real name" policy would have prevented that? There's a degree to which reputation associated with an online identity is important but there's no evidence that trying to tie that to any kind of government issued ID improves anything - and there's no inherent reason to believe that an established identity is trustworthy

Show thread

There really is no simple answer to the xz case. We can reduce dependencies, we can strengthen sandboxing, we can make it harder for dependencies to inject code. But fundamentally we still depend on the idea that our dependencies are trustworthy and the only real way to guarantee that is to have strict examination of every single line of code

Show thread
Follow

@mjg59 so everyone needs merge review. Even maintainers. No direct master commits ever ?

Hard when you're the tiny little one person project everyone needs...

@falken @mjg59 billion dollar corporations that depend on it can step up if they want a trustworthy supply chain.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.