I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits.
-
@mttaggart Given that reviewing a PR is already labor-intensive, is it that much marginal effort to ask contributors to hop on a call and verify their humanity? Maybe once they've done it once they can get a credential as a trusted contributor.
@anyone_can_whistle Okay now imagine having to make that request for 1000 PRs that just came in
-
@anyone_can_whistle Okay now imagine having to make that request for 1000 PRs that just came in
@mttaggart I can imagine it being automated; maintainers have a calendly-type thing, so making the appointment is not work for the maintainer. If you want to submit a PR you get on the calendly. I don't really see the incentive for bots to spam a system that is going to human-verify them eventually. Maybe the problem would be that a bad human actor with a bunch of bots would make themself available for the verification.
-
@mttaggart I can imagine it being automated; maintainers have a calendly-type thing, so making the appointment is not work for the maintainer. If you want to submit a PR you get on the calendly. I don't really see the incentive for bots to spam a system that is going to human-verify them eventually. Maybe the problem would be that a bad human actor with a bunch of bots would make themself available for the verification.
@mttaggart But maybe part of the verification would be actual identity (is anonymity valued in software contributions?). Or maybe the ability to talk through the PR.
-
@mttaggart I can imagine it being automated; maintainers have a calendly-type thing, so making the appointment is not work for the maintainer. If you want to submit a PR you get on the calendly. I don't really see the incentive for bots to spam a system that is going to human-verify them eventually. Maybe the problem would be that a bad human actor with a bunch of bots would make themself available for the verification.
@anyone_can_whistle @mttaggart i guess many would just quit beeing a maintainer of an open source project if this is the response.
-
@anyone_can_whistle @mttaggart i guess many would just quit beeing a maintainer of an open source project if this is the response.
@anyone_can_whistle @mttaggart i guess that the era of "open source on ones spare time" will be a thing of the past, at least.
-
I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits. Not today, but it's not impossible tomorrow.
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
@mttaggart the end goal is the end of open source because who needs it when you can vibe code whatever you need though by paying a specific vibe vendor, right?
-
At the very least, we're going to need a highly effective spam filter for code contributions
Indeed, this is the kind of anti-human behavior that could necessitate a "hard fork" of the web—or just kill it.
-
M mttaggart@infosec.exchange shared this topic
-
@mttaggart But maybe part of the verification would be actual identity (is anonymity valued in software contributions?). Or maybe the ability to talk through the PR.
@anyone_can_whistle @mttaggart
I remember having id-keys (gpg, etc) signed be real people, in person, establishing a web of trust.
Something like that?
Not all of my IDs were real name btw. I had a whole chain of validation with "hacker" handles.
-
At the very least, we're going to need a highly effective spam filter for code contributions
@mttaggart Make 'em email patches like God intended.
-
At the very least, we're going to need a highly effective spam filter for code contributions
@mttaggart we’ve needed some sort of “reputation” system in OSS (spanning forges and package repositories) a bit more organized than “I’ve seen your pseudonym/avatar on another repo or on Twitter/mastodon) for some time.
I just hope it will be thoughtfully done and not hacked in place by a single (Github?) provider in reaction to incidents
-
@mttaggart we’ve needed some sort of “reputation” system in OSS (spanning forges and package repositories) a bit more organized than “I’ve seen your pseudonym/avatar on another repo or on Twitter/mastodon) for some time.
I just hope it will be thoughtfully done and not hacked in place by a single (Github?) provider in reaction to incidents
@vbfox In another context, here's my attempt at reputation for web content: https://ringspace.net
