I see more and more contributors hiding their real name, just using a nickname.
Jia Tan (from the xz backdoor in 2024) was also a nickname and was co-maintainer.
The thing is, hiding behind a nickname is bad for security reasons. When contributors or maintainers have their reputation at stake, it ensures a higher level of security.
all major open source programs have one or a few official versions with “owners” with reputations at stake.
So, like LLMs current debates, I think we should be cautious about contributors hiding their real names. IMHO we should review more carefully such contributions, or just disallow nicknames altogether.
This won’t prevent contributors from choosing made-up names though. Some identity verification may be necessary before having more decision power within the project and community. For example when registering for a conference, or when becoming a member of the Foundation.
The GNOME Foundation’s members are a vitally important part of the organisation, and this week we changed our membership requirements to make them more inclusive. This change required legal input, and was one of the reasons that I had a call with a lawyer last week. With that done we have been able to drop the requirement that members provide a legally registered name: as long as the name you provide is used elsewhere and we have a valid email address, that should be enough.
This change was actually caused to allow trans people to use our names, instead of our legal names which are often a deadname.
And I personally think that unless we’re gonna do ID verification every time someone sends a patch, it’s really impossible to know whether their name is actually real. For example, how can I be sure your name is actually what you say? That’s not really easily verifiable.
I guess we could require new contributors to utilize an ID verification service when opening their first merge request, but that would be pretty intense. And even that wouldn’t help much, because an actual attacker will have the ability to create a fake ID.
We should probably just let people contribute using whatever name they prefer.
Once a nickname has a bad reputation, the attacker(s) can easily continue with other nickname(s). With a nickname, we don’t know if it’s only one person or a team. And we don’t know if one person has contributed under several names.
I don’t remember if I needed to provide a scan of my identity card for GNOME. But I’m a GNOME Foundation member since 2012, and I went at two GUADECs. I vaguely remember needing my identity card at least for a GUADEC accommodation and taking the plane.
It would be possible for me to go at a key signing party for GPG keys.
Without a nickname, you still don’t know who is writing the code. A team can still use a single person’s identity as a front, similarly to how the xz attack is believed to have been carried out.
This is a bit loaded: “hiding their real name, just using a nickname”.
It is not s 100% clear cut situation:
I am a translation coordinator for GNOME. When I get a submission from someone I check the translation rather their identity.
Even when I meet the contributor in person - I do not request to see an identity card - basically the official way in Bulgaria to identify yourself.
Using a public facing nickname is not the same as anonymity. I may know a person but that person may submit all their translations using a nickname for privacy reasons.
I really do not want to be tasked with verifying identities of people.
However I get the idea of making life harder for those that attempt a xz-like attack.
The infrastructure for such identities is not there yet. For example there are now officially valid ways for electronic signatures that will become even more accessible and usable in future but it is not universal.
Still - requiring a known identities will preclude some people from ever contributing:
Mostly that will be people that just don’t live in a place where such an official electronic identity exists
There will always be a subset of people that are trying to escape some laws that preclude them from contributing or the act of contributing will endanger them in some way
There are also people that do not want any of their personal data exposed for privacy reasons
I am not sure we will ever be in a position where one rule encompasses all cases. Perhaps there will be tiering:
official identity required for some roles
permanent identity for others
and some where even anonymous contributions are allowed
10 years is a very long time. I guess asking this in 2 years will be ok.
To open a bank account your identity is verified. That doesn’t stop fraud and scams from happening; bad actors simply use somebody else’s bank account — a “money mule”. Bad actors wanting to do a xz-style attack could similarly steal or use somebody else’s identity. Besides, the xz attack wasn’t discovered by identity verification; it was discovered by auditing the code. Let’s put effort towards automating that.
Requiring contributors to use their government name will shrink the pool of contributors. I think it’s discriminatory governance, and won’t comply with the code of conduct.
While contributors may prefer to use their real name, I imagine for employment opportunities, other contributors may prefer to use an online alias. Like for safety, to not have online harassment follow them to their doorstep. Or for privacy, to not have employers, neighbors and other people who know them IRL knowing their every hobby or volunteer work. And likely many other reasons.
Perhaps requiring disclosure of a verifiable identity to the project makes sense for certain roles. Speaking for myself, if you want to verify my identity you better put me on your payroll
Key signing “parties” are a massive bar to clear: they require travelling, and established/well-known government-issued identity documentation that is simply not always available to everyone.
In practice, this whole discussion is predicated on a very 1990s idea of a small set of privileged contributors that have the resources to regularly travel to well-known locations and can meet up and exchange information in person. This hasn’t been a viable strategy in years.
The XZ attack is mitigated by increasing the amount of code validation and increasing the number of contributors, while diffusing the responsibilities to avoid a centralised attack surface.
There are also other ways to improve the trust in software development.
For example many GNOME git repositories allow anyone with “developer” access right to push on the main branch, which doesn’t sound safe. Gitlab allows to force using approved merge requests to commit on main, which ensures someone else had a look at the changes.
I have a couple of related problems with this. I’ve been on the net for a few decades now, and something that we used to have, which has been steadily eroding for years, is the right to be anonymous. Yes it can lead to people behaving badly, but a lot of people also built up reputations over years while using a nickname, never revealing their real name. So that’s a cultural thing I would not like to see thrown out.
My other reason is related. Stated simply, I support the trans community and their often quite valid reasons for not wishing to use their legal name. This is particularly important in the face of today’s political environment when all of the progress of decades is at risk. Obviously I’m talking primarily about the US, where states like Kansas are passing laws to force people to use their original legal name on official documents. Like it or not, FreeSoftware is political by nature. Let’s not add insult to injury in the name of security - we can find better ways to be secure.
