Some have rolled their eyes at the "paranoid" requirement from the #Debian community of in-person gpg key signing as a step to become a Debian developer, and it's often been a real barrier.
But I'm reminded of it at the #OSSummit keynote today as the #Linux Foundation's Jim Zemlin talks about the xz vulnerability and identity verification of developers.
It was never paranoia. It doesn't solve everything, and people can still be dishonest, but it was never excessive paranoia.
@pleia2 @ariadne I guess the concern would be that a nation state actor with significant resources has much *more* of an ability to deal with most of those barriers than a genuine volunteer contributor usually does.
(While someone without such resources mostly isn't going to be doing an elaborate long-term attack like this.)
So it's not paranoid, but it's unclear how much it would help.
@waldi @ids1024 @pleia2 @ariadne someone has to come out in the open. It seems almost certain that the xz attack was a team effort, and by an organization with large resources. A single person showing up and being reasonably convincing is not the highest bar in the world, and moreover the attacker has much to gain by constraining your thinking to associating them with one identity.
It's not a sure bet on their part, but then neither was their technique to get commit bits.
Elizabeth K. Joseph
Ariadne Conill 🐰
Ian Douglas Scott
waldi
Farce Majeure