Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

dont you think that something as simple as a CLA (contributor legal agreement) would prevent this type of thing? of course creates noise in the open source contribution funnel, but let's be honest: if you are dedicating yourself to something like contributing to oss, signing a CLA should not be something unrealistic.


CLA is not an ID check. It is to handover the rights for the code over to the project owners rather than doing any identity check.


agreed. but it does not mean i couldn't be. as per the terms, the content of a CLA could be anything. and that's my point


Then the question becomes "should we require ID for open source contributions?" and the answer is most likely no, not a good idea.


That's stretching the traditional definition. Usually CLAs are solely focused on addressing the copyright conditions and intellectual property origin of the contributed changes. Maybe just "contributor agreement" or "contributor contract" would describe that.


What exactly is a CLA going to do to a CCP operative (as appears to be the case with xz)? Do you think the party is going to extradite one of their state sponsored hacking groups because they got caught trying to implement a backdoor?

Or do you think they don’t have the resources to fake an identity?


The whole Chinese name and UTC+8 were a cover, as the person apparently was from EET


While it ultimately doesn’t matter if it was Russia or China beyond potential political fallout. Do you have a link to the proof pointing towards EET?


There was a link in this thread pointing to commit times analysis and it kinda checks out. Adding some cultural and outside world context, I can guess which alphabet this three-four-six-letter agency uses to spell it's name at least.


case closed. you are right... could of course make the things a bit more difficult for someone not backed by a state sponsor. but if that's the case, you are right.


Sadly the only way to even have a chance of fighting this is to insist on new contributors being vetted in person, and even that won’t be fool-proof.

It’s also not scalable and likely won’t ever happen, but it’s the only solution I can come up with.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: