(Easy) ways to help struggling open source projects:
- step in and help review a few PRs
- help the project triage/reproduce bugs
- if code in the PR looks complicated or is hard to understand, ask for an explanation
- express your gratitude to the maintainers
- make your company sponsor projects they depend on
@bagder but unfortunately these are also the same steps you need to do to infiltrate an open source project as a bad actor.
Maybe the open source community needs to create a network of trust which can at least offer a “This is a known person” qualification to contributors.
@codepope @bagder It's hard enough to find contributors to long-running important projects as it is (that of course being the scenario that brought "Jia Tan" in).
If there's another level of gatekeeping on top of all the existing barriers, surely that's going to reduce the pool of contributors even more? I don't have a solution unfortunately but I really can't see the web of trust idea being viable.
@losttourist @bagder if you want to keep bad actors out you are going to have to have some form of gatekeeping - an open web of trust would allow projects to bring in trusted contributors faster - and it would depend on the project how strictly they applied it.
@codepope @losttourist @bagder but what would such a WoT even mean? You can't statically divide persons and even less so online identities into good and bad. This changes over time or context, and is highly subjective anyway.
@martinpitt @losttourist @bagder a trusted person vouches in the web for another person (and is able to revoke that assertion) and you start with a number of well known trusted persons to seed the network x the rest is identity and verification.
@codepope @martinpitt @bagder But how do new contributors come into the ecosystem? If they need to know an existing contributor IRL that's a massive barrier to entry. If they can demonstrate their credentials by showing good contribs on their own github etc, well that's just an additional step that the next Jia Tan needs to take before getting their "good person" certificate.
@losttourist @martinpitt @bagder why not IRL? And no, a digital footprint would not be enough. This is about establishing good actors first.
@codepope @losttourist @martinpitt @bagder
How meeting someone repeatedly irl helps in determining that they won't do something malicious in the future?
@robryk @losttourist @martinpitt @bagder it doesn’t - it’s part of you establishing if they are trustable (ie they physically exist). Other parts may include having worked with them, previous collaboration, etc etc, though the IRL having met could be table stakes in you vouching for them in the web.
Let’s put this way, if you can’t establish you can trust someone, how can you expect a project maintainer to?
@codepope @losttourist @martinpitt @bagder
I don't think one can find future Jias with any feasible methods. Doing what you purpose would imo worsen the situation by raising the bar by a larger increment for honest contributors.
@robryk @losttourist @martinpitt @bagder So rather than distribute the verification load throughout the contributing community, you’d rather leave that on the maintainers?
If you want to keep the bar low for all, guess we are going to have to live with those bad actors actions then.
@codepope @losttourist @martinpitt @bagder
Please do not put words in my mouth (or rather hands).
I do not want anyone to consider it their duty to approach an offer of help with suspicion that it originates from an agent of a hostile nation state.
Because I expect that to have an effect that's worse than doing nothing. First, for many kinds of social norms this kind of distrust makes everyone uncomfortable (and even more so if the norms differ across participants). Even ignoring that, doing this is tantamount to asking laymen to do counterintelligence. We've had examples of similar things being counterproductive (many of the "look out for suspicious things" campaigns). All the counterintelligence manuals for nonspecialists that I've seen (e.g. WW2 era instruction movies) emphasized that one's estimate of trustworthiness is easy to manipulate and to not rely on it, instead sticking to action-oriented rules and reporting attempts to dissuade one from doing so, even if they seem innocent.
@robryk You're comparing negative/suspicion campaigns run by governments to an idea of members of a community vouching for others (there is no distrust in this, just an absence of vouched for trust)
And again, if you assert you can't establish trustworthiness, then how's a maintainer supposed to do so? We were lucky, very lucky, with xz and I'd hope that we’d see it as a wake up call, that nation state actors *do* see FOSS as a target.
As I already explicitly stated, I assert that the maintainer should not be under obligation to suspect a nation state attack in a help offer.
There's no well defined zero point on the trust scale, so I don't see what absence of trust really means. You are positing that the amount of default trust should be lower, which to me means distrusting newcomers.
You are literally asking for a suspicion campaign by saying that people should have less trust that they currently have in total newcomers.
What I think would be helpful is if there was a way to report one's suspicions to an organization that is more competent in this area and that can be generally trusted not to use the information provided for other purposes than ensuring security of software (so that doing so is something that one can do without much hesitation). (I think that many people would have lots of qualms about reporting such suspicions to the FBI, because they'd worry it would negatively affect involved people even if the suspicion was baseless).
For cases when there is no explicit ground for suspicion I still think that doing nothing (and relying on counterintelligence of your country/of the USA) is strictly better than engendering less-trust-by-default.
@robryk why not?