[BBLISA] Quick Poll: Would you trust system software from an anonymous source?

[Tom Metro]

Dean Anderson wrote:
> I think that you didn't really understand what I meant by anonymous
> source.

Correct.


> By anonymous, I mean /only/ an email address, I mean no domainname, no
> history, nothing whatsoever but an email address from a free email site.  

OK, that clarifies it. There is effectively anonymous, and then there is 
intentionally anonymous. I had assumed the former, and I see you mean 
something closer to the latter.

Is there evidence that the person behind the code is intentionally 
trying to hide their identity? Have they withheld their name?


> Err, Most open source projects have a mailing address, or someone (a
> project manager) who does have a mailing address, a history in the
> field, usually a real job, and a phone number, more often than not, a
> domainname, which also has this information.  Larger projects are often
> incorporated, sometimes as non-profit, sometimes as for profit.

Open source is one of those "long tail" fields, where there is a 
comparatively tiny handful of projects that we all recognize that have 
well identified players behind them, and then there is the long tail 
consisting of hundreds of thousands of projects, where the project lead 
is effectively anonymous, because we don't know much about them beyond 
their email address, and usually name.


> Most aren't anonymous. For example, the FSF has a physical address.
> Richard Stallman has an office at MIT.  

The other reference points you cite (mailing address, domain 
registration) can all be forged, so you could have the appearance of 
non-anonymity.

What's far more important in these specific example you cite is that RMS 
and FSF both have an established reputation.

But if you're being paranoid about security backdoors, you can't merely 
look at the credentials of the top name on the project. You'd also have 
to look at the full team of code contributors, or at least examine the 
way the project is governed and see if commits are being reviewed by 
those you do trust.


> This user and their name just appeared recently, and has no previous
> history in any related project, mailinging, or that field.

That's troubling, but could be considered irrelevant if the criteria I 
listed is met. If you audit the code, then it doesn't matter where it 
came from, as you've validated it. But the more practical criteria of 
sticking to projects with a sizable and established user community is 
pretty much mutually exclusive with having a project lead that has no 
track record.

What I'd be curious to know is what led your administrator to use this 
package? Was it just found in some random search? Or was it recommended 
by a person or community?


> They aren't really anonymous.  But I'm talking about a sockpuppet
> distributing software.

I'd never heard the term "sockpuppet" used in this context, but I see it 
is explained here:

http://en.wikipedia.org/wiki/Sockpuppet_(Internet)

   A sockpuppet is an online identity used for purposes of deception
   within an online community.


> The discovery that you can't find an address, past history, or phone
> number or anything should be a red flag, I think. 

Agreed. My emphasis would be on past history.


> Isn't the refusal of the email/sockpuppet to respond to queries for
> this information a wildly waving red flag?

Generally, yes.


> I don't agree that most open source software is anonymous and
> unaccoutable.

I would still say that the overwhelming majority is effectively 
anonymous, but your point about an established track record is valid. We 
may not know with certainty where a project lead is physically located, 
or their legal name, but to some degree we can view their history and 
draw conclusions from that.


>>> 3. Would you consider it a bad judgment to use such software knowing
>>> (1) for sure...
>> Not at all, with noted qualifications.
> 
> What do you think given my clarificiation?

Given the details, I think you have a valid point that the administrator 
showed questionable judgment.

Other posters raised good questions regarding the seniority of the 
administrator, and what expectations you had for them, which really 
determines where your reaction falls - somewhere between "a teachable 
moment" and firing. Unless this is a repeated pattern and/or the admin 
sees no problems at all with the software's source, despite the issues 
you pointed out, it likely doesn't rise to the level of being a firing 
offense.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/