Recent searches
Search options
One worrying thing about the whole xz debacle is that maintainers are probably going to be even less inclined to trust people they don't know coming in to offer help (99.9% of whom are, one hopes, _not_ state-sponsored attackers ...), and thus it will be even harder to relieve the pressure on overworked maintainers.
@cjwatson It's easy to trust when we have CoWorking sessions and chats. It's easy to identify who knows things and who is shit-talking.
@Toasterson @cjwatson #JiaT75 totally knew shit, including deep dive into xz security…
@mirabilos @cjwatson Or somebody feeding the account with exploits. Does not have to be the same person as the one doing the simple Maintenance.
@cjwatson it will amplify network effects, I think. We will be more likely to trust people we already know and less likely to trust newcomers with zero background. And I'm sure you can see how that's a problem...
@ehashman Yeah exactly. And we saw the racists coming out pretty quickly for this one, so I'd bet it will be particularly harder for newcomers with Chinese names for a while
@mirabilos @ehashman Oh sure, I carefully avoided claiming they were
@mirabilos @cjwatson @ehashman, And it wouldn't matter in any case. Most people in the OSS community never meet face-to-face; for some, there isn't even a single picture available publicly - and that's fine. "Trust, but verify" is the only thing we have. However, there should be a discussion about "clever" code. When people regularly contribute good, innocent, but needlessly complicated code, it becomes a problem.
@cjwatson And refactors/improvements in critical areas will now be viewed with even more scorn than until now... demanding maintainers become the sole point of failure for codebases layout
@cjwatson incidentally I did get contacted around January by someone from a yaho address, no digits in it though, asking if they can be my "assistant", and found it suspect already