On 2024-06-18 12:43, Arınç ÜNAL wrote:
After the xz backdoor incident, I don't think it would be very wise to
start allowing usernames. Not just that, anyone with a full name that
cannot be tied to a real person through either public knowledge on the
internet, or information privately provided to the maintainers of the
project is a potential infiltrator in my eyes.
But, I think usernames should be allowed for submissions, and the
submissions must be reviewed thoroughly. Becoming a maintainer or a
member
of the project on the other hand, must not be possible unless the
person's
real life identity is privately provided.
Arınç
IMHO, neither version of the contribution policy ("real-name-only" or
"known identity") matters for malicious (or compromised) contributors.
A malicious "contributor" can simply fake their name, and under the
current policy, it would be accepted at face value.
Note that I am ignoring *committers*, because that is a much more
selective and trusted group, and has different rules from what I understand.
The policy change that I am talking about is for contributors, not
committers (the ~50 people who can merge changes into the project repos).
Proof-of-identity is a valid concern, but I think it's largely
orthogonal from this specific policy.
sudoBash418
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
