Elizabeth K. JosephApr 16, 2024

Some have rolled their eyes at the "paranoid" requirement from the #Debian community of in-person gpg key signing as a step to become a Debian developer, and it's often been a real barrier.

But I'm reminded of it at the #OSSummit keynote today as the #Linux Foundation's Jim Zemlin talks about the xz vulnerability and identity verification of developers.

It was never paranoia. It doesn't solve everything, and people can still be dishonest, but it was never excessive paranoia.

Show threadAlfred M. Szmidt
@pleia2 The #FSF Copyright Assignment that the #GNU project uses and was designed to serve the exact purpose as well. And we have been harping about this for quite sometime .. go figure.
Apr 16, 2024 at 8:18pmWeb
Show threadNasadoApr 17, 2024
@amszmidt @pleia2 Really? Why would a copyright assignment be necessary for that? I was under the impression it was meant to centralize license enforcement. If the goal was verification of identity, they could've just done something similar to the DCO (not that that existed yet, but they could have invented it).
Show threadAlfred M. SzmidtApr 17, 2024

@nasado @pleia2 The copyright assignment requires the developer to be identified, and verified using an ID/passport/... in the case of any copyright issues. You'd communicate name, address, phone number, etc as well.

The DCO is not sufficient for that kind of information, since anyone can just email a reply.

Show threadNasadoApr 17, 2024
@amszmidt @pleia2 That's not what I mean. I mean that there's no reason you need to actually reassign copyright to do all of that verification.
Show threadAlfred M. SzmidtApr 17, 2024
@nasado @pleia2 There is also no reason to do in-person GPG signatures to verify either, there are plenty of other ways. This is just one, having an actual legal framework where the copyright assignee becomes responsible for the code that they contribute keeps the riff-raft away.
Show threadNasadoApr 17, 2024

@amszmidt @pleia2

Who exactly do you mean by "riff-raff"?

Show threadAlfred M. SzmidtApr 17, 2024
@nasado @pleia2 Jia Tan and other unserious actors. Are we reading and replying to the same thread?
Show threadNasadoApr 17, 2024
@amszmidt @pleia2 "Riff-raff" is a real strange word to use, is all. So is "unserious", for that matter. Anyway, the point is, you can do all the verification and come out the other end with something like a DCO but more thoroughly checked. Reassigning the copyright is unnecessary for that purpose. And the copyright assignee "becoming responsible for" the code doesn't mean anything -- they become socially responsible for it when they distribute it, and legally nobody is responsible thanks to the standard disclaimers in virtually every FOSS license.
Show threadAlfred M. SzmidtApr 17, 2024
@nasado @pleia2 no you cannot. That’s the whole point. DCO are not a physical link between the individual and what is being submitted. GPG signing or actual verification of legal documentation is. A DCO is beyond easy to fake, and would have not helped anything in the xz case, where a CA or GPG check in person would have raised the bar much higher. You are confusing differnt topics.
Show threadNasadoApr 17, 2024
@amszmidt @pleia2 I've been clear from the beginning that I'm talking about something *like* the DCO -- as in, something that verifies the developer's identity without requiring copyright assignment. I am not saying they could just use the actual DCO procedure. If the FSF wants copyright, they probably have to do the extensive verification, but that doesn't mean that if they want the verification they have to get copyright assigned.
Show threadAlfred M. SzmidtApr 17, 2024
@nasado @pleia2 something like that doesn’t exists. The CA purpose is to verify that you are you and have the right to contribute the change without any copyright issues. That there is an assignment (and a give back on that) is beside the point. I’m muting you now, since I do t think there is much point in continuing this.