[b112]

One thing missing here.

I develop cool thing X. Now, 100 minor things depend upon it.

Suddenly, Facebook (or anyone of that size!) starts using it, and decides to vet the maintainer/author.

Who says anyone has to cooperate? It's his software. He wrote it. Don't like it?

Well tough!

Now obviously Facebook could author a replacement. It could fork and maintain.

But the very nerve that Facebook(or anyone!) would insist upon a security audit of the anonymous author would be very, very strange.

Next up, I lend a neighbour my lawn mower, after he comes begging to borrow it. Oh but wait! My neighbour now wants me to sign a libabilty form, and also undergo a security check, all so he can borrow my lawnmower!

The hell?!?!

Hoping this illustrates my point. The project author owes nothing to anyone.

And it gets more wacky, if there are 100 companies demanding audits. What? Demand?!

This is where distros are the strong point. They aren't perfect, but they catch a lot of stuff on their own. And maintainers of different distros often backchannel, support each other in this.

In terms of some government org "vetting" people? Way to take the last vestiges of free software, and hacking, and turn it into a gatekeeping, bureaucratic nightmare. I guess one will need credentials, government id, a 10 year security check, to be fingerprinted, and so on? Security clearances work like that, and that's how you vet someone.

[darnir]

This exact thing happened to me. I maintain a fairly popular free software project. A few years ago, I received an email from a nasa.gov domain claiming that they want to use the project internally and are auditing all their suppliers. They wanted documentation on me and on how I audit my supply chain for the project. Not cool. I don't have time for these shenanigans in my personal time.

[jdiez17]

I'm sure you had the choice not to provide that documentation, right?

[darnir]

Well, yes. And I chose to exercise that right.

The point of the anecdote is to supplement the parent poster by stating that their hypothetical scenarios are already happening.

We should have better testing and more eyes on incoming code for projects we depend on. But my point I guess is that vetting maintainers is not an option.

[buffet_overflow]

Agreed that the vetting of private people would be invasive and not a good use of resources. It would also not work for recently compromised accounts.

I’m also personally torn on how much we want giant private companies controlling more and more of the core compute infrastructure and software.

In an ideal world, the code and software itself would be automatically analyzed for malicious use cases in release and deployment pipelines, but that’s a magic hand wavy kind of ask of a huge magnitude and complexity.

[bdd8f1df777b]

And in this case Facebook did author a replacement--zstd. It just didn't get popular enough. And even when it does get popular, it won't replace all usages of xz, only some of them.