On 4/20/07, Tony Sidaway tonysidaway@gmail.com wrote:
On 4/21/07, George Herbert george.herbert@gmail.com wrote:
On 4/20/07, Tony Sidaway tonysidaway@gmail.com wrote:
Let's describe this "risk of attacks" to an "open source project" in more realistic terms: real harm done to real people on a daily basis. This isn't a bit of code that we can assign a "no warrantees" disclaimer on. We have to take the damage very seriously.
And Linus Torvalds doesn't? A vulnerabilty snuck into Linux today would potentially affect half the servers on the Internet. A vulnerability snuck into Apache would affect a vast majority of the websites on the Internet. MySQL and PostgreSQL? Perl? Billions of dollars are at stake with those. Not being personally responsible for the goof wouldn't make the horrific consequences go away.
Quite. But look what the lkml is doing about it. Compared to them, we're still *literally* doing the equivalent of letting anybody commit to the main release tree and them umming-and-ahing about whether we'll take bug reports seriously and, you know, actually remove components that are causing damage.
We're not that bad. And a lot of that will get reduced with Stable Versions (taking commit rights away from most people, in software version control terms).
The problem is that we can only go so far to separate biographies out and treat them differently. We can't do a complete technical solution - even some sort of biography flag could be missed or undone or subverted, and there's nothing keeping someone from putting "Mister Skinner, the school's principal, is gay and sleeps with his male students" on a School article, or in a town's article, etc. That would be just as googleable as a bio on Leonard Skinner (example from The Simpsons, hopefully there's no real school principal who will take offense at this example...).
We can ban anon contributors, and make getting accounts harder. But that will cut down on contributions, and most contributions aren't vandalism, even anon contributions.
We can implement stable versions. That takes "Commit" away from the teeming masses.
We can continue to care about the problem and pay attention to it.
But we can't make it go away. And even if we could, it wouldn't solve the MySpace/YouTube/Blogosphere problems people have with libel and online attacks.
Are we a worse component of the problem than everyone else? No. Are we handling it more or less responsibly than everyone else? More.
Case closed. We're ok. Not happy-no-problem ok - it's legitimately an issue. But we don't need to tear the project apart over it.