TIL that untypical is a word that means the same as atypical.
It's funny. I think of anonymity as something that has been part of the Internet going back through at least the last three decades of my experience with it. Back in the day you had anonymous retailers, let alone people using pseudonyms. It was very much part of the fabric. If anything, it feels like anonymity on the Internet is harder to achieve these days.
Even if you know the identity of a contributor, you have to consider the possibility that they or their systems have been compromised. I agree it's stressful and difficult to be constantly vigilant about contributions, but it's kind of all there is.
I think the internet always had anonymity. I do think it was easier to be anonymous on the surface but at the same time there were so many fewer people on the internet that it wasn't that hard to uncover the person behind the curtain.
I do however think that this is unrelated to the Open Source angle. You will still find this sentence on Eric S. Raymond's "How To Become A Hacker" guide which in some ways shows how much this attitude has changed in the years since:
> Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.
I don't think a lot of people will still subscribe to that idea today.
I disagree on the “nobody”. A lot of people did function that way as evidenced by a long history of contributions to open source projects. Certainly the folks that brought me to Open Source had no quarrels with having their real identity associated and definitely neither did I.
Part of that is getting older. A decade ago I contributed to Python under the name "Demur Rumed" & that's what they put in the 3.6 contributor list. Back then I worked at a company that didn't use GitHub so it was all personal stuff that I'd put under that name
Since then I started working in open source companies that are operating on GitHub. An early meeting someone asked "who's this Demur Rumed making random pull requests?" sheepishly I declared myself, "Please update your profile with your real name"
Growing up in the 00s, the advice for teenagers going online is that they should protect themselves by not sharing their identity. For years I avoided associating my real identity online (outside obvious things like banking, which wasn't associated with my online identity)
Hard to tell if this is a macroscopic trend, or just my experience. Personally I prefer pseudonymous identity. But I've never been anonymous, since there's 20 years of digital trash left around at this point
> the advice for teenagers going online is that they should protect themselves by not sharing their identity.
To me this is still the basic advice. This is not just for when sommething really bad happens, it's also all the smaller things. Like whether they need their employer to know they had a strong pro-union stance in the past. Or if they really like and promote some artist, that later happens to have an incredibly bad reputation dragging their fandom down with them, etc.
There's just no real upside IHMO...except many companies will expect kids to have some online presence and expose what they're doing to the world, and might give preference to people with a strong following online.
So they are still advised still keep a safe and positive "public facade" somewhere to deal with these kind of expectations, and have their "real" accounts anonymized.
It's still good advice for generic online conversations (not necessarily contributions, but that's not what the adults had in mind when they gave that advice), but became effectively impossible the moment Facebook started letting other people tag you even if you didn't have an account.
> Since then I started working in open source companies that are operating on GitHub. An early meeting someone asked "who's this Demur Rumed making random pull requests?" sheepishly I declared myself, "Please update your profile with your real name
I make a new GitHub account for any new job I start using my company email
I never use my personal accounts for anything work related
I once got a message from HR telling me to update my LinkedIn with a company approved Bio section and a company photo they provided, and I just ignored it. They badgered me a bit, complained to my boss and such, but ultimately it's my account so they could not compel me to change it
I hate that companies feel entitled to do so, though
I also only use a separate account for open source work for my employer. There are multiple benefits:
* My employer has no say in my private account. They can't force my to change my private bio or profile name, for example
* It's clear which code I authored as a part of my employment and which I did on my own after hours (extremely important for me).
* I work in IT security do I should give an example :). Some projects my company hosts on GH are not public (yes), or some projects I have access to because of my work. I shouldn't touch them after I leave my current company, or access them from private devices.
Look at all of us on hn with our cute little handles, or our throwaways.
You know who doesn't like anonymity? People who want to control you. People who want to harm you for you think, and what you say.
This is internet and it started with a dream and then and bunch of people came on and didn't like that dream but they sure wanted that sweet sweet internet cash and ever since they've been fighting tooth and nail at that dream because its a threat to their very ethos. Fuck them I choose internet.
> Maybe verified identities an illusion, but sometimes these illusions is all that's needed to feel more relaxed.
Author almost realizes that they're asking for something that is at best a mirage and then bats away that thought[0]. But that's not something that you can casually dismiss near the end of your post, it's a crucial flaw in the whole idea! The comfort that you get from seeing "John Smith" as the contributor instead of "rand_user_43" is indeed an illusion; not only do you have no way of knowing that "John Smith" is their real name, even if you did demand to see their government ID, and even if that was forgery-proof and definitely identified them, they can still commit malicious code; the best hope is that you can impose after-the-fact consequences, but that's... really optimistic, especially as a deterrent.
[0] An alternative steel-man is that the author does grasp that they're pining after something that doesn't actually work but still argue for it, but that feels even less charitable so I'm going with the other interpretation.
I mean, maybe s/asking for/wishing for/g? but the summary of the post really reads to me as approximately "I really liked it better when contributors weren't anonymous". I grant that it reads as hedging a lot and acknowledging that that has problems, but it's not at all neutral overall.
I’m not sure myself. I think on the range of that I wish contributors were is some form of known identity but that doesn’t have to be specific form of one. Some form of social contract that when you contribute you are not someone who will disappear. However it looks like that’s something that not everyone subscribes to any more.
I would love to know how the kernel and other projects approach this nowadays. Their contribution guides imply an abstract sense of identity but it doesn’t describe much what this entails.
That's fair. I think I could support wanting stable/persistent identities, but not tying them to real-life identities. Though it's worth pointing out that neither would have helped with the xz incident AIUI.
There was a short entertainment clip on YouTube with ex-CIA person Jonna Mendez - that I can't immediately find - in which she said(as accurate as my heavily quantized memory goes) "The Agency can produce anything, so long it's made of paper, for official purposes". And it struck me, despite aware that spies forge documents all the time: it'll be the real deal when they do it. There is some process legitimacy that backs those.
I doubt the xz maintainer would have rejected Mr. Jia Tan with verifiable record of employment with a defense contractor and complete Virginia identity, on the basis that their printed application form has no fingerprints and is not showing valid printer tracking dots. That isn't realistic at all, and wouldn't have mattered.
In the title but never elaborated on. (Kind of like CDO.[1])
Anyone who makes an effort has skin in the game. Unless your PR was made by ChatGPT or you are sending out spam PRs, you have skin in the game. (Of course there’s an asymmetry here since the maintainer has to deal with this spam. But isn’t it like email? Eventually with enough spam it will be tolerated to by-default ignore solicitations based on heuristics.)
Someone can spend a week on a PR and get immediately rejected because the maintainer liked neither the approach nor the feature. Okay but wait, you say, why didn’t you just ask about the design before you made the PR? Because some projects will politely say “send patches” if you first do a preliminary feeler-inquiry. They won’t even tell you what the chances of such a change being accepted and will just give you a generic “we will judge it on its merit and usefulness”.[2]
> In a sense this is a generic rant about missing the “good old times” (that probably never were), where people talked to each other eye to eye.
They’re simulating eye-to-eye/real life interactions. In real life I can be eight different people under my real name because physical interactions are localized. On the public Internet, under the same name, everything is in the same place.
And the Internet has gotten more hostile over the decades.
Most open source projects have not just the final source published, but also all communication for patches, features and their relevant discussion.
That could be on GitHub, a traditional mailing list, or some other hosting platform.
You can’t tell in advance how your work will be received, but you can empirically tell how others work has been received. And even compare the communication styles.
And it’s not rocket science that well reasoned patches, with tests, splitting out separate commits, explaining the reason for the change would be better received than a typo laden one-liner, “I needz it”.
It’s up to the submitter to match the flow of the project.
> And it’s not rocket science that well reasoned patches, with tests, splitting out separate commits, explaining the reason for the change would be better received than a typo laden one-liner, “I needz it”.
I said makes an effort.
You can implement a novel feature (and well) and get it rejected.
I’m saying without writing any code I can already tell, within a reasonable level of confidence, if a patch would be accepted by looking through past contributions. You’re not working in a vacuum.
I choose to post under my real name, it forces be to think harder and more often about saying some smartass thing (which still happens anyways because I grew up on 4chan or whatefer, slashdot I guess mostly but the internet used to have a rough sense of humor as the default), and to apologize earlier and more often if I get called out on it by someone who is right.
But I’m not sure it nets out in my favor anymore: it’s just a huge handicap to be totally honest and transparent in a world that will really hold past mistakes against you in a very arbitrary way with the only consistent theme being that “important” people rarely face any consequences (some might say these days, even real scrutiny).
My current solution-in-progress is a handle (b7r6) that’s a decent Unix name, has my initials in it so no secret if it matters, but kinda changes the tone to like, “I’m a real person but I kinda want to be treated like an opaque ID unless it’s damn important.”
It’s a sock on the doorknob, not a lock, but I can’t think of anything better just yet.
I've gradually migrated all my accounts to pseudonyms over the past few years, also citing arbitrary social punishment and unlimited downside of sharing my identity, combined with (more) limited upside.
This feels like the opposite of my experience. In the early days of the internet nobody ever used their real name anywhere. It was all forums and IRC usernames.
I would like to see the impossible: a AGPL kind of license that disavows attribution. No ego, personalities, decentralised, distributed, copyleft with the power to enforce it. In the early days of Creative Commons there was a no-attribution license option in the license maker they had but it was abandoned.
Copyright is from an author but I would like to see authorship revoked not just rights granted. Perhaps some kind of corporate authorship so there is one organisation with the actual legal rights? Theres no reason why contributors have to be anonymous - the project with the license can have named, verified, real people. The legal stuff is beyond me!
Anonymity is a many-faceted issue. I have various personas on the Internet, but the truth is that any serious research can probably link them together.
Why do most people want anonymity (or pseudonymity)? Most of us are not in any sort of actual danger. If someone links my identities together, nothing horrible is going to happen. At worst, my employer will get some nasty email by someone I offended with an uncareful remark, which would have no consequences beyond a confused question.
Is it just a matter of comfort? Is it not wanting to have to be so careful what we say? Is it because we actually have different facets to our personalities, and want to give each of those facets expression?
Anyway: My open source projects are linked to my real identity. That's not an aspect of my identity I have any reason to hide. I don't see why anyone should. Heck, if you're young, your contributions may be important to your career: "Look what I did, you should hire me!"
In my case is: Having anonymous accounts give me “freedom of erasure”. So, if I want to quit platform Z, for me it’s as easy as doing nothing: I don’t mind the (anon) posts I wrote, I don’t mind the email I signed up with (used exclusively for anon purposes); all that stuff is not linked to me, so I don’t mind what happens with it. On the other side, if all that stuff is linked to my name, I need to care of making sure it gets deleted by platform Z and all the other places where the stuff has been replicated (which is almost impossible nowadays).
I dont want people to
know what I wrote 15 years ago in some place of the internet. That’s not me anymore.
Seems like a purely legal problem to have some form of real world handle. For such problems, I'd also expect a legal solution.
For example, the license could include something like: if we cannot identify and contact you in a reasonable amount of time, you have no say. Or: contributions from a certain amount of lines of code require a stable contact etc.
I don't see a problem of liability in general. And for special cases, one can still require verification.
I can very well imagine that people develop critical software open source. For example, a governmental app, or a software for a nuclear power plant. Then, the public can also have a look and see how things are operating. However, open source doesn't mean that anybody is invited to contribute IMHO.
A lot of things could be done, most projects don't do much that is extra work. In practice most projects do something that is within what is socially acceptable, what people do and what does not require extra effort. The fact that even large projects like the Linux kernel are much more relaxed about pseudonymous contributions today to me is at least an indication that this is where things are going.
The author seems particularly hung up on the legal implications and consequences of being an open source contributor or project maintainer: "not all legal consequences can be waived", "distance to the legal system", "the real world legal consequences are then stuck with me", etc. It would benefit us all for the author to be specific about these if they are indeed real, as to my knowledge these are mostly FUD.
There are certainly negative aspects to being an open source project maintainer [1] but being legally liable for code offered as-is that you did not author, or being droned by a foreign military intelligence service for accepting a backdoor contribution are not it.
There are definitely real world consequences of security or licensing issues in Open Source libraries. They are not always that someone will sue you but they are not necessarily any more pleasant.
Perhaps you should speak more about those consequences you’re afraid of?
Take the xz incident from this weekend. No one is crucifying the maintainer who gave Jia Tan commiter rights. No one is prosecuting or persecuting them. Everyone understands that they were under stress. I’m yet to see a single negative thing even been written about them.
The legal consequences you fear feel more imagined than real. As long as you do the best you can with the knowledge you have, no one is taking you to court or putting you in jail over it. I know people online don’t take the No Warranty clause statement seriously when they demand support, but a court definitely will.
At worst someone may come and ask you “is Jia Tan your alter ego?” And leave when they realise its obviously not.
But if you’re arguing that you’re risking reputational harm, where you might get a rep as “the guy who lgtm-d the backdoor PR without reviewing closely”, yeah that’s possible. And it’s a reasonable fear. That’s a risk you’re taking when most of the reward is to society benefiting from your work.
> Perhaps you should speak more about those consequences you’re afraid of?
I'm not particular fearful of anything. It's an observation of a cultural change that I perceive. I'm facing many more interactions with throwaway accounts, individuals that have no desire to establish a reputation etc. It changes the way you communicate in subtle ways, there is less of a believe that you will run into some of those folks at conferences or they would not disclose themselves.
The legal elements of that are largely hypothetical since most folks will statistically not be involved with a lawsuit. However the legal underpinnings are largely what enables Open Source, so we cannot completely be blind to this. At the same time it's also clear that we care less about this as a whole. While it was once much more commonplace to verify authors, to vet licenses and contributors, that's clearly something that even established projects do less of. I have no idea what this means, but it seems like it's a shift nonetheless.
The practical implications are much more obvious. The creator of xz also suffered inconveniences despite not being the perpetrator when GitHub restricted their account.
> I know people online don’t take the No Warranty clause statement seriously when they demand support, but a court definitely will.
That's not entirely clear. At some point even writing code can become a legal matter and plenty of software engineers who were charged and convicted under wire-fraud charges are there to tell a story. Mind you, many of those things were outright obvious malice, but we don't know for sure where such lines are drawn for sure.
> many of those things were outright obvious malice
Yeah, exactly what I'm saying. As long as you put software out there in good faith, you won't be convicted of wire fraud. So just ... don't be malicious I guess? That seems like a low bar that all of us can clear.
> While it was once much more commonplace ... to vet licenses
I don't know why we need to vet licenses? We've mostly come to a consensus. Most software is either MIT/Apache (anything goes), GPL (release your modified source as GPL) or some weird license masquerading as open source (hi Mongo and redis). We don't need more innovation in this space, we need less. And there's not much to discuss when almost all software is one of the first three licenses.
> legal underpinnings are largely what enables Open Source
I'd argue that if Open Source is continuing to be developed despite us not verifying identities, maybe it isn't necessary anymore? Maybe it was just something we did back in the day, but we don't need to anymore because the landscape has changed. It's possible what we actually needed was authentication - that this PR is actually coming from Armin and not someone masquerading as him. And Github provides that with its username, password and 2FA.
As long as there's no account level hacking involved and I know the person who submitted this change is the same the one I think they are, that gives me a lot of confidence. At that point it doesn't matter if the change came from Armin (who I've never had the pleasure of meeting), or Asahi Lina (who I never will meet).
Since the times have changed and it's acceptable for people on the internet to be angry at anybody for anything, no wonder less and less people are willing to risk their physical identity or even online pseudonymous identity.
Not sure if I get the point with this one, but what I know for sure is: as long as there are maintainers there will be open source as it is now. The "system" will only change when we stop having maintainers.
I think there are three possible stances here. Either you have nobody knowing your real name, somebody knowing your real name or everybody knowing your real name.
Many open source projects use the first one, the article advocates for the third one, but I personally find the second one least objectionable.
In the current culture, a "full real name" policy is almost unachievable because of the backlash from trans folks, who may not be able to change their legal name (this is very hard or even impossible in some countries), but yet don't want to see their old name on a daily basis. Whether you find the backslash to be entirely justified or caused by "woke people and their vile woke ways" is completely beside the point, the backlash will happen and you have to contend with it somehow. There are also bias-related implications here, if you're part of a minority that is often discriminated against, you may want to adopt a name that doesn't immediately give that fact away.
I think a good compromise here would be to introduce some kind of "verified" badge for Github accounts. This badge would only be given to people who pass an ID and liveness check, enable 2FA on their accounts, use an avatar of themselves or no avatar at all, indicate the country they live in on their profile (consistent with the country of issue of their document), and either use their real name or a name that is clearly a pseudonym. Repo owners could then limit contributions to such verified badge holders. Such a step shouldn't be taken lightly, this would massively limit the amount of contributions for such repos, particularly from "conscientious objectors" to GitHub's business practices, but would perhaps be a good choice for libraries requiring very little maintenance and with massive security implications.
> A well established identity on the internet creates a form of inner piece
Worth noting that the motivating incident (xz backdoor) was a user with legitimate history under what at the time appeared to be a real name. Even mandatory ID verification may not have helped in this case, if they're a state actor.
it increases the cost for the attacker, forging ID is expensive and against the law. It also leaves behind additional evidence that might be useful to investigators
Pseudonyms are fine, as long as each person has only one, and multiple alts are guaranteed to be extremely costly to create. People are primarily just afraid of being duped or tricked somehow by someone hiding behind multiple identities, otherwise they don’t treat pseudonyms much differently.
Of course there’s a practical difficulty in making sure creating the first pseudonym identity has a low bar but also to make sure that subsequent creations have much higher bars.
One way to get around this is to mandate a real identity account but allow it to be private without a public facing component, and allow up to one pseudonym account to be linked to it privately.
A bonafide genius might be able to build a similar reputation for 3 pseudonyms in as much time and effort as it takes for a more average person to build 1.
Obviously most people are not bonafide geniuses and they know it, so there’s always a lingering fear of being taken in somehow.
> Pseudonyms are fine, as long as each person has only one
What's the problem with real person John Doe also having an account called anon12345?
The problem isn't one person having multiple identities, the problem involve mismatches between the quality or qualities of those identities versus particular use cases.
Like I said a limit of one pseudonym on top of the real identity. If everyone knows everyone else is hard limited to a max of 1 pseudonym, then they wouldn’t be afraid any longer.
A single combined pseudonym that becomes permanently useless for the rest of your life once it eventually accumulates enough little hints and other metadata across all services to get dox-able to your real identity? Hell no! [0]
Even if it can be "killed" in favor of a secret successor pseudonym, that's still terrible, because the limited-life and periodic social death aspect is still there, and because humans regularly have different sides in different social contexts. Who wants to screen online dates with the same pseudonym used for asking resume advice?
> then [people afraid of sockpuppets and impersonators] wouldn’t be afraid any longer
If you're that afraid that a pseudonymous account isn't real, you know what? You just ask them to positively authenticate before extending any trust!
Why should everyone else in the world submit to a dystopian panopticon, merely to satisfy your lack of due-diligence and/or anxiety to avoid confrontation?
[0] Would you use the same password everywhere on the internet too? Similar risk-management issues arise here.
> services to get dox-able to your real identity? Hell no! [0] […] Would you use the same password everywhere on the internet too? Similar risk-management issues arise here.
I'm not sure this follows. It's clear that reusing a password is a bad idea, and more importantly a password is supposed to be secret. Identities _usually_ are not. It's clearly different in the context of Open Source but you would not go into many commercial transactions without verifying the person on the other side.
In quite a few countries (eg: Germany) cannot even voluntarily change your name and your personal information in many ways is required to be public (Impressumspflicht). Sweden maybe goes even further by making tax records public. If that was the same situation as with passwords then life in those countries would not work.
> Pseudonyms are fine, as long as each person has only one, and multiple alts are guaranteed to be extremely costly to create.
You’ve invented Real Identity #2. So now you have effectively two real identities, a step up from just one but you don’t have the pseudonym capability of reinventing yourself whenever you want.
It's funny. I think of anonymity as something that has been part of the Internet going back through at least the last three decades of my experience with it. Back in the day you had anonymous retailers, let alone people using pseudonyms. It was very much part of the fabric. If anything, it feels like anonymity on the Internet is harder to achieve these days.
Even if you know the identity of a contributor, you have to consider the possibility that they or their systems have been compromised. I agree it's stressful and difficult to be constantly vigilant about contributions, but it's kind of all there is.