Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's naive to believe that any form of physical presence means someone isn't going to do something nefarious in the eyes of the project.

This problem can only be solved by more skilled eyes on the projects that we rely on. How do we get there? shrug.gif.

Anything less is trying to find a cheap and ineffective shortcut in this trust model.



> It's naive to believe that any form of physical presence means someone isn't going to do something nefarious in the eyes of the project.

It's not the only thing, but it is something.

There's a lot of social engineering that went into the xz backdoor[0]. This started years ago; Jia Tan was posting in projects and suddenly someone appeared to pressure projects to accept their code. Who's Jia Tan? Who's Jigar Kumar, the person who is pressuring others to accept patches from Jia Tan? We don't know. Probably some person or group sponsored by a state APT, but we don't know for sure, because they're currently just text on a screen.

Having this person or group of people have to continually commit to the bit of publicly-known open-source maintainer who attends conferences, has an actual face, and is on security camera footage at multiple hotels and airports is far, far harder than just talking a vulnerable person into allowing maintainer access on a repository. Making them show up to different places a few times adds a layer of identity. Otherwise these "skilled eyes" could be anyone with a wide variety of motivations.

[0]https://boehs.org/node/everything-i-know-about-the-xz-backdo...


> Having this person or group of people have to continually commit to the bit of publicly-known open-source maintainer who attends conferences,

This is assuming maintainers even care/want to go.

> has an actual face, and is on security camera footage at multiple hotels and airports

The same footage that'll get wiped a few weeks after the conference ends, and quickly becomes not useful.

This is wonderful posturing in the name of security theater but doesn't solve anything.


> This is assuming maintainers even care/want to go.

If they don't want to go, don't use their project. Sorry, these aren't the TI-83 games you passed around at your high school with programming cables; they're the code libraries our society is built on. If my project relies on your project, I need to know who you are. If I can't figure that out, I'll try to find another one.

> The same footage that'll get wiped a few weeks after the conference ends, and quickly becomes not useful.

This is wonderful posturing in the name of security theater but doesn't solve anything.

Along with receipts, eyewitnesses, plane tickets, etc. that put a person at a place at a time. Doesn't all have to be digital evidence.


You have a good point, but there's also a reason why companies like people to come into work and don't hire remotely as much as they should (or could). There's a reason why interviews often include a meal together. Meeting people IRL is good for building trust, on both sides.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: