Here's my main takeaway from the #xz crisis: require GitHub contributors to have a verified fediverse account in their profile links, and use it to find out what their actual reputation is.
-
Here's my main takeaway from the #xz crisis: require GitHub contributors to have a verified fediverse account in their profile links, and use it to find out what their actual reputation is.
-
-
@omz13 reputation means that you and I have connections in common that I can ask about you and what kind of contributor you are.
-
@evan Programmers are lazy/busy and barely have time to read the README file, let alone do due diligence on a package they’re importing. Plus, if we have connections in common, asking for any kind of reference is IRL highly dependent on personal whims and vendettas (and comes with no guarantees). For #xy it seems there were other actors “vouching” because nefarious actors will “juice” where needed: build their own network of connections to appear genuine to aid their agenda.
-
@omz13 Using fediverse mutual connections as a signal is better than nothing.
-
@evan It is a low-quality signal that just means mutual connections: interpreting anything more from that is unwise. IRL we have mutual connections, and I’m sure if we exchanged references/vouches about those mutual connections the result would not be identical because of our different experiences of interacting with them (we move in overlapping not identical circles).