Hacker News new | ask | show | jobs
by dbingham 806 days ago
This looks... Interesting and also weirdly suspicious. It's "made by Backbone". Backbone appears to be an enterprise security startup (?) but it's unclear because the website tells you almost nothing about the companies history, finances, or who makes up the company.

The committers appear to be "Backbone Authors". The organizations membership is not visible.

With something like this, trust is vital. I need to be able to trust the code now and into the future. For trust, transparency is key. And this project has zero transparency.

For all I know, this could be a state actor trying to lay the foundation for future backdoors.
3 comments
kpdemetriou 806 days ago
I'm one of the authors. We built Minibone as a community contribution because we realized how unnecessarily vulnerability-prone E2EE app development is today - after seeing app after app repeatedly making the same mistakes.

Minibone is an initial attempt to address this challenge in the single-user setting (that allows a concise and easily auditable implementation).

This is all part of our broader work that you can read about here: https://backbone.dev/company

link
kisamoto 806 days ago
Jumping on this, I've also noticed you don't seem to have an obvious "Terms and Conditions" or "Privacy Policy" on your site.

It's also not immediately obvious to me where the company is registered or info about the people behind the company.

For a security focused company these are all things I would expect to be rock-solid and as transparent as possible for the initial due-diligence when evaluating services like this.

link
nextaccountic 806 days ago
Do you have a name? Which commits you authored?

After the xz debacle, knowing who wrote which commits became important

link
nextaccountic 806 days ago
> The committers appear to be "Backbone Authors". The organizations membership is not visible.

This is slightly insane. How can they release something as Apache License if they aren't even giving out the name of the developers? Exactly WHO is licensing this source code?

There are many open source crypto libraries and it's probably not the wisest to use one authored by anonymous developers

link
akerl_ 806 days ago
Why would somebody have to list their name to Apache license something?
link
codetrotter 806 days ago
> zero transparency

> could be a state actor trying to lay the foundation for future backdoors

idk if presence of “names” are a good signal to indicate otherwise either

https://www.wired.com/story/jia-tan-xz-backdoor/

link
nextaccountic 806 days ago
It's the contrary. It's only because we can identify Jia Tan's contributions that we can throw out just his contributions and revert to (say) xz 3.2

If xz contributors were anonymous, we would need to throw out the whole thing

link
codetrotter 805 days ago
If the Minibone repo turns out to be malicious I don’t think it makes much of a difference whether they are committing as one anonymous user, or as 12 fake people.
link
nextaccountic 805 days ago
Tracking the fake people still give some information (for example, the more sock puppets, the harder it is to simulate discussions in issues, PRs, etc)
link