Dean Anderson wrote: > I think that you didn't really understand what I meant by anonymous > source.
Correct. > By anonymous, I mean /only/ an email address, I mean no domainname, no > history, nothing whatsoever but an email address from a free email site. OK, that clarifies it. There is effectively anonymous, and then there is intentionally anonymous. I had assumed the former, and I see you mean something closer to the latter. Is there evidence that the person behind the code is intentionally trying to hide their identity? Have they withheld their name? > Err, Most open source projects have a mailing address, or someone (a > project manager) who does have a mailing address, a history in the > field, usually a real job, and a phone number, more often than not, a > domainname, which also has this information. Larger projects are often > incorporated, sometimes as non-profit, sometimes as for profit. Open source is one of those "long tail" fields, where there is a comparatively tiny handful of projects that we all recognize that have well identified players behind them, and then there is the long tail consisting of hundreds of thousands of projects, where the project lead is effectively anonymous, because we don't know much about them beyond their email address, and usually name. > Most aren't anonymous. For example, the FSF has a physical address. > Richard Stallman has an office at MIT. The other reference points you cite (mailing address, domain registration) can all be forged, so you could have the appearance of non-anonymity. What's far more important in these specific example you cite is that RMS and FSF both have an established reputation. But if you're being paranoid about security backdoors, you can't merely look at the credentials of the top name on the project. You'd also have to look at the full team of code contributors, or at least examine the way the project is governed and see if commits are being reviewed by those you do trust. > This user and their name just appeared recently, and has no previous > history in any related project, mailinging, or that field. That's troubling, but could be considered irrelevant if the criteria I listed is met. If you audit the code, then it doesn't matter where it came from, as you've validated it. But the more practical criteria of sticking to projects with a sizable and established user community is pretty much mutually exclusive with having a project lead that has no track record. What I'd be curious to know is what led your administrator to use this package? Was it just found in some random search? Or was it recommended by a person or community? > They aren't really anonymous. But I'm talking about a sockpuppet > distributing software. I'd never heard the term "sockpuppet" used in this context, but I see it is explained here: http://en.wikipedia.org/wiki/Sockpuppet_(Internet) A sockpuppet is an online identity used for purposes of deception within an online community. > The discovery that you can't find an address, past history, or phone > number or anything should be a red flag, I think. Agreed. My emphasis would be on past history. > Isn't the refusal of the email/sockpuppet to respond to queries for > this information a wildly waving red flag? Generally, yes. > I don't agree that most open source software is anonymous and > unaccoutable. I would still say that the overwhelming majority is effectively anonymous, but your point about an established track record is valid. We may not know with certainty where a project lead is physically located, or their legal name, but to some degree we can view their history and draw conclusions from that. >>> 3. Would you consider it a bad judgment to use such software knowing >>> (1) for sure... >> Not at all, with noted qualifications. > > What do you think given my clarificiation? Given the details, I think you have a valid point that the administrator showed questionable judgment. Other posters raised good questions regarding the seniority of the administrator, and what expectations you had for them, which really determines where your reaction falls - somewhere between "a teachable moment" and firing. Unless this is a repeated pattern and/or the admin sees no problems at all with the software's source, despite the issues you pointed out, it likely doesn't rise to the level of being a firing offense. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
