You're absolutely right! Let me go ahead and fix that now...(the sound of credits disappearing...) /s

Is the onus really on people who write code here? It really should be on those who choose to use this unsigned code, surely?

Perhaps, but if it's gotten to the point where millions of people download the unsigned code, signing should probably become required. Even reproducible builds.

Required by who though? If your business etc depends upon some code, it's up to you to ensure its quality, surely? You copy some code onto your machine then it's your codebase, right?

While I think anyone unwilling to sign their code is negligent, I also feel anyone unwilling to ensure credible review of code has been done before pushing it to production is equally negligent.

Anyone that maintains code for others to consume has a basic obligation to do the bare minimum to make sure their reputations are not hijacked by bad actors.

Just sign commits and reviews. It is so easy to stop these attacks that not doing so is like a doctor that refuses to wash their hands between patients.

If you are not going to wash your hands do not be a doctor.

If you are not going to sign your code do not be a FOSS maintainer.

No they don't! They have literally no obligations to you - and you've got the MIT/APL/GPL license to prove it. You're getting the benefit of their labour for free!

Even if they did sign the code, What's stopping them slipping some crypto link in. And do they also need to check all the transitive depdencies in their code?

They have basic obligations as highly trusted FOSS software maintainers, a role they allowed themselves to be elected into, to make sure their hard earned goodwill and trust is not stolen by a bad actor. They also have a basic obligation to make sure they have accountability and review of all code before it gets to their users.

Sitting back and expecting Microsoft to keep the community safe is going to continue to end badly. The community has an obligation to each other.

Like, no one is making someone go bring a bunch of food to feed the homeless, but if you do, you have some basic social obligation to make sure it is sanitary and not poison.

People who give things away for free widely absolutely have obligations, and if they do not like those, they should hand off the project to a quorum of responsible maintainers and demote themselves to just a contributor.

They literally owe you nothing. They can walk away tomorrow, sell their github account, introduce breaking changes, add bugs, die, add crypto links, whatever.

>if they do not like those, they should hand off the project to a quoarum of >responsible maintainers and demote themselves to just a contributor.

The most responsible thing to do is to release it under an OSS license and let whoever, yes - including you, fork and maintain their own copy if it's that important.

If you're paid then sure. Otherwise... It depends.

Is a doctor doing volunteer work still obligated to wash their hands between patients?

Is a food pantry giving away free food obligated to check expiration dates and make sure the food is properly sealed?

Volunteer work absolutely has obligations, and I do not know why software volunteers are exempt from any responsibility unless they are being paid.

If you do not want to do the volunteer work in a safe way, please hand off the job to a volunteer willing to do so.

Literally untrue as we don't have proportional representation.

Sounds like a non-sequitur?

Proportional representation is nice, but it's neither sufficient nor necessary.

I think your disgrace-level calibration needs adjusting given everything else that's going on rn buddy.

Or perhaps it's in the context of the current US administration having spent the past year telling Europe to get screwed on trade, military etc?

It's often useful for me so that I can know how to address you/refer to you, especially if it's a foreign (to me) name I'm unfamiliar with.

What's your research background in this area?

How is that relevant. A decent scientist can critique general design aspects of a paper in any field. They're hardly splitting hairs on some niche topic.

Apologies, I didn't realise they were a decent scientist.

I'd say low, given his surprise about "wiring looms" which have been the norm for 50 years? Nice write up though!

It's an incursion. He got confused and keeps saying excursion, which is a different thing.

No he's describing himself. His term so far has been a power excursion that's just getting more extreme as it goes on.

It’s an excursion: a lovely hike onto the mountains of Iran. It’s just that the locals aren’t too friendly.

Because LLM users are NIH factories?