Conversation

Notices

Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 03:05:02 JST Evan Prodromou

Here's my main takeaway from the #xz crisis: require GitHub contributors to have a verified fediverse account in their profile links, and use it to find out what their actual reputation is.

In conversation about a year ago from cosocial.ca permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 05:56:25 JST Evan Prodromou
  in reply to
  - ClickyMcTicker
  @ClickyMcTicker why's that?
  
  In conversation about a year ago permalink
- Embed this notice
  ClickyMcTicker (clickymcticker@hachyderm.io)'s status on Monday, 01-Apr-2024 05:56:26 JST ClickyMcTicker
  in reply to
  
  @evan Absolutely not.
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 06:05:06 JST Evan Prodromou
  in reply to
  - hambier
  @hambier do you use other systems, like LinkedIn or letters of reference, when doing professional work?
  
  In conversation about a year ago permalink
- Embed this notice
  hambier (hambier@mastodon.opencloud.lu)'s status on Monday, 01-Apr-2024 06:05:07 JST hambier
  in reply to
  
  @evan So if I'm contributing to some project (occasionally in my case), I'd be required to also use social media under that same identity?
  I find that thought disturbing to be honest. Social media is often personal or political and there are lots of good reasons to do it under a pseudonym. But my contributions are under my real name out of a vague feeling of respect and transparency.
  IMHO it would be a very strong barrier. First creating an online profile just to fix some bugs yourself?
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 06:10:00 JST Evan Prodromou
  in reply to
  - Benjamin Fry
  @bluejekyll yes; they also used sock puppet accounts to pressure the maintainer into getting more co-maintainers.
  
  In conversation about a year ago permalink
- Embed this notice
  Benjamin Fry (bluejekyll@hachyderm.io)'s status on Monday, 01-Apr-2024 06:10:01 JST Benjamin Fry
  in reply to
  
  @evan this sounded like a fairly sophisticated attack, hadn’t the contributor been submitting patches for like 2 years before this? Given that level of commitment, probably would have gone through similar lengths on social media.
  
  In conversation about a year ago permalink
- Embed this notice
  David Somers (omz13@mastodon.social)'s status on Monday, 01-Apr-2024 06:12:12 JST David Somers
  in reply to
  
  @evan A nefarious actor will simply juice their “verified fediverse account” with “reputation” (whatever that is). The #xy crisis seems to be a long-term play.
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 06:12:12 JST Evan Prodromou
  in reply to
  - David Somers
  @omz13 reputation means that you and I have connections in common that I can ask about you and what kind of contributor you are.
  
  In conversation about a year ago permalink
- Embed this notice
  Scott Sweeny (ssweeny@fosstodon.org)'s status on Monday, 01-Apr-2024 06:16:31 JST Scott Sweeny
  in reply to
  
  @evan Can't accept your PR. Not enough wuffie.
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 06:16:31 JST Evan Prodromou
  in reply to
  - Scott Sweeny
  @ssweeny I know you're joking, but I also think that there is a difference between accepting PRs and making someone a co-maintainer. If you were hiring someone for that job, you would check references.
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 10:53:22 JST Evan Prodromou
  in reply to
  - Dr. Brandon Wiley
  @brandon with GitHub, you can link to a fediverse account, and if you link back, the identity is "verified". The same person controls both accounts.
  
  In conversation about a year ago permalink
- Embed this notice
  Dr. Brandon Wiley (brandon@mastodon.blanu.net)'s status on Monday, 01-Apr-2024 10:53:35 JST Dr. Brandon Wiley
  in reply to
  
  @evan What does "verified" mean in this sentence?
  
  In conversation about a year ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Monday, 01-Apr-2024 13:20:48 JST Evan Prodromou
  in reply to
  - David Somers
  @omz13 Using fediverse mutual connections as a signal is better than nothing.
  
  In conversation about a year ago permalink
- Embed this notice
  David Somers (omz13@mastodon.social)'s status on Monday, 01-Apr-2024 13:20:49 JST David Somers
  in reply to
  
  @evan Programmers are lazy/busy and barely have time to read the README file, let alone do due diligence on a package they’re importing. Plus, if we have connections in common, asking for any kind of reference is IRL highly dependent on personal whims and vendettas (and comes with no guarantees). For #xy it seems there were other actors “vouching” because nefarious actors will “juice” where needed: build their own network of connections to appear genuine to aid their agenda.
  
  In conversation about a year ago permalink

Public

Conversation

Notices

Feeds