| > Perhaps you should speak more about those consequences you’re afraid of? I'm not particular fearful of anything. It's an observation of a cultural change that I perceive. I'm facing many more interactions with throwaway accounts, individuals that have no desire to establish a reputation etc. It changes the way you communicate in subtle ways, there is less of a believe that you will run into some of those folks at conferences or they would not disclose themselves. The legal elements of that are largely hypothetical since most folks will statistically not be involved with a lawsuit. However the legal underpinnings are largely what enables Open Source, so we cannot completely be blind to this. At the same time it's also clear that we care less about this as a whole. While it was once much more commonplace to verify authors, to vet licenses and contributors, that's clearly something that even established projects do less of. I have no idea what this means, but it seems like it's a shift nonetheless. The practical implications are much more obvious. The creator of xz also suffered inconveniences despite not being the perpetrator when GitHub restricted their account. > I know people online don’t take the No Warranty clause statement seriously when they demand support, but a court definitely will. That's not entirely clear. At some point even writing code can become a legal matter and plenty of software engineers who were charged and convicted under wire-fraud charges are there to tell a story. Mind you, many of those things were outright obvious malice, but we don't know for sure where such lines are drawn for sure. |
Yeah, exactly what I'm saying. As long as you put software out there in good faith, you won't be convicted of wire fraud. So just ... don't be malicious I guess? That seems like a low bar that all of us can clear.
> While it was once much more commonplace ... to vet licenses
I don't know why we need to vet licenses? We've mostly come to a consensus. Most software is either MIT/Apache (anything goes), GPL (release your modified source as GPL) or some weird license masquerading as open source (hi Mongo and redis). We don't need more innovation in this space, we need less. And there's not much to discuss when almost all software is one of the first three licenses.
> legal underpinnings are largely what enables Open Source
I'd argue that if Open Source is continuing to be developed despite us not verifying identities, maybe it isn't necessary anymore? Maybe it was just something we did back in the day, but we don't need to anymore because the landscape has changed. It's possible what we actually needed was authentication - that this PR is actually coming from Armin and not someone masquerading as him. And Github provides that with its username, password and 2FA.
As long as there's no account level hacking involved and I know the person who submitted this change is the same the one I think they are, that gives me a lot of confidence. At that point it doesn't matter if the change came from Armin (who I've never had the pleasure of meeting), or Asahi Lina (who I never will meet).