Re:_Issues_I’ve_had_with_Void

On Tue, Apr 15, 2025 at 4:41 PM <paige@paige.bio> wrote:
>
> How high of a standard is there for contributions to the core components of FreeBSD (ie not ports) ?
>
> In my mind you guys would require some info about the contributor, as in somebody with a real name as opposed to a gamer tag right?
>
> I’m just kinda pissed off at the sorry ass way some linux distros have handled accountability and attribution, but particularly Void. My sense is, with FreeBSD it matters a lot given the investment of the people I know who have contributed to it over the years, I’m sure they would like to believe this still matters and it’s too important to allow contributions that can’t be definitively attributed to a real person.
>
> I get with ports it’s a bit different, and that the Linux kernel is not void. As a matter of fact I have a mirror of the ports distfiles (at least about 400gb of them) and it’s scary to think about but it’s at least a little less scary to me than the way Void handles package management because I feel like somebody is willing to endorse at least the core part of FreeBSD.

I don't speak authoritatively in any way here and am just commenting
with my learnings of being around for over a decade.  You can find
some videos of Kirk McKusick giving a history of especially the CSRG
BSD project and the current situation will make a bit more sense.  In
those days, shared access to a host to be able to check in code turned
out to be the genesis of an Internet-hosted open source, open
contribution project (if you go back in time and leave out the
Internet part there are things like SHARE that predate BSD).  The
reason to get involved, i.e. send in a patch, was and is "cred" as
much as anything else.  The people with a lot of "cred" were entrusted
with committer access.  Eventually the idea of a core team comes
about.  There are many other ways to run a project now.  We've
embraced some of them with i.e. distributed version control and
various onramps to make drive by contributions easier.  But we still
maintain much of that heritage because it has worked this long.

There is nothing in particular about this model that heightens
security but it is also not reckless - i.e. most corporations rely to
a high degree on trust derived from being on the payroll but this is
easily enough defeated by nation-state level actors and in certain
high stakes industries there could even be professional corporate
espionage or sabotage (i.e. the current "AI" bubble).  The open
source, open disclosure model is one that seems to stand the test of
time, and FreeBSD does this as well as any other project in my
opinion.  The goodwill of interested people keeps an unknown amount of
problems from ever entering a release, and a timely response when
there is any failure.  The idea of source, longevity, reproducibility,
and many eyes helps to create a body of trust.  Like everything else
it is not perfect, but it is perpetually open to new contributors
offering new ideas to make it better.

> Idk I guess I'm just starting to realize how much people don’t learn from some mistakes. A couple of years ago when sshd got backdoored, it was incredible to think that the attacker actually used coercive tactics, and I’m sure a lot of people were shaken by it but it just seems apparent to me that there are much simpler opportunities for attacks against various Linux distributions.
>
> Στάλθηκε από το iPhone μου