The whole point of open source was that you can see the code and the commits. We don’t need to trust anybody. I feel like banning contributors is just contradicting one of the key benefits of open source.
Wouldn’t it be the right thing to just improve the security and vetting of commits to the kernel? After all, it’s the Linux Kernel.
Besides, the idea that employed developers with a Russian day job are a risk… but one fails to consider these were the honest ones who declared their day job. Does the threat modelling end there?
What would you do about people who… lie online about where they work? (I know it’s impossible but bear with me).
I feel like properly vetting commits to the kernel that does not involve the core contributors and maintainers too much is the way to go. (Tests, dedicated resources, more time in review, commit to a staging branch and ask the world’s foremost hackers to find vulnerabilities, etc)
The whole point of open source was that you can see the code and the commits. We don’t need to trust anybody. I feel like banning contributors is just contradicting one of the key benefits of open source.
You are misunderstanding why the sanctions happened. It has nothing to do with whether or not the individuals working at those entities are trustworthy or not.
The Linux Foundation is an institute of the United States. The United States has demanded that entities within their jurisdiction, like the Linux Foundation, follow sanctions, and cut contact and interaction with sanctioned entities.
Because the Linux Foundation doesn’t want to be punished or pay fines, they follow those sanctions. Nothing to do with trusting the individual contributors or corporations.
What would you do about people who… lie online about where they work?
This is probably what happened. The contributors went home, to their personal emails, and the world kept spinning and no one looked twice.
Ok, lots of Russian trolls out and about. It’s entirely clear why the change was done, it’s not getting reverted, and using multiple random anonymous accounts to try to “grass root” it by Russian troll factories isn’t going to change anything. And FYI for the actual innocent bystanders who aren’t troll farm accounts - the “various compliance requirements” are not just a US thing. If you haven’t heard of Russian sanctions yet, you should try to read the news some day. And by “news”, I don’t mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I’m Finnish. Did you think I’d be supporting Russian aggression? Apparently it’s not just lack of real news, it’s lack of history knowledge too. Linus
Reviewing every change and discovering every issue is unfeasible on multiple levels. Even skipping that fundamental, base level requirement; you need to trust in trustworthiness from submitters and reviewers, and that people review. You need to trust those maintainers that can push and pull and merge. You need to trust the builders and publishers and distributors.
I doubt you’re reviewing every code change and compiling or verifying reproducible builds on every software and patch version you run. You put trust in the chain. And the chain decided to cut at some point because of risk.
Besides, the idea that employed developers with a Russian day job are a risk… but one fails to consider these were the honest ones who declared their day job.
So you think people do only one job and have only one concern? Do you think people of sanctioned countries, contributing to an unjust war, more or less directly, are a bad place to start reducing risks?
I feel like properly vetting commits to the kernel that does not involve the core contributors and maintainers too much is the way to go.
I’m baffled you can make this point while at the same time not accepting their decision after review, assessment, and consequence. You’re asking them to review while not accepting their decision. From the same people.
The whole point of open source was that you can see the code and the commits. We don’t need to trust anybody. I feel like banning contributors is just contradicting one of the key benefits of open source.
Wouldn’t it be the right thing to just improve the security and vetting of commits to the kernel? After all, it’s the Linux Kernel.
Besides, the idea that employed developers with a Russian day job are a risk… but one fails to consider these were the honest ones who declared their day job. Does the threat modelling end there?
What would you do about people who… lie online about where they work? (I know it’s impossible but bear with me).
I feel like properly vetting commits to the kernel that does not involve the core contributors and maintainers too much is the way to go. (Tests, dedicated resources, more time in review, commit to a staging branch and ask the world’s foremost hackers to find vulnerabilities, etc)
You are misunderstanding why the sanctions happened. It has nothing to do with whether or not the individuals working at those entities are trustworthy or not.
The Linux Foundation is an institute of the United States. The United States has demanded that entities within their jurisdiction, like the Linux Foundation, follow sanctions, and cut contact and interaction with sanctioned entities.
Because the Linux Foundation doesn’t want to be punished or pay fines, they follow those sanctions. Nothing to do with trusting the individual contributors or corporations.
This is probably what happened. The contributors went home, to their personal emails, and the world kept spinning and no one looked twice.
Source: https://lwn.net/ml/all/CAHk-=whNGNVnYHHSXUAsWds_MoZ-iEgRMQMxZZ0z-jY4uHT+Gg@mail.gmail.com/
Reviewing every change and discovering every issue is unfeasible on multiple levels. Even skipping that fundamental, base level requirement; you need to trust in trustworthiness from submitters and reviewers, and that people review. You need to trust those maintainers that can push and pull and merge. You need to trust the builders and publishers and distributors.
I doubt you’re reviewing every code change and compiling or verifying reproducible builds on every software and patch version you run. You put trust in the chain. And the chain decided to cut at some point because of risk.
So you think people do only one job and have only one concern? Do you think people of sanctioned countries, contributing to an unjust war, more or less directly, are a bad place to start reducing risks?
I’m baffled you can make this point while at the same time not accepting their decision after review, assessment, and consequence. You’re asking them to review while not accepting their decision. From the same people.