>From krishna e bera on September 7, 2013 5:42 PM UTC: > On 13-09-07 01:20 PM, Asa Rossoff wrote: >> Trust is involved. Speaking of which, do we have bios of all Tor >> contributors, esp. those that authorize code changes and those that compile >> code? Do we have public ongoing accounting of who gets paid how much and >> for what? > > Why would we need personal details of contributors? I agree with > transparency in funding and payments in any donation-based organization. > In the open source world, however, developers build up reputations > based on their code and writing, not their real life background (which > can be interesting as to motivation but is a poor indicator of code > integrity and quality).
My motivation for making that statement is not so much because the bio would be any indicator of code quality, but because "Concurrently working in command capacity at NSA headquarters, managing Operation Freedom Tear-down" would indicate a conflict of interest :). Not that that person wouldn't disclose that fact. I'm not asking for a long bio---not a résumé. And not necessarily for every contributor. But for all decision makers, and like I said, those who approve merges, and those who compile releases. Some information to help establish trust. Also, redundant technical and/or procedural security measures in place to verify that compiled code is from the designated source would be a good measure. That's independent of who (or what) is compiling the code. The Tor website recommends new users go and meet a developer and acquire their PGP keys in-person (obviously by extension after checking three forms of unfalsified identification and checking fingerprints, brain MRIs and CT scans, retinal scans, and facial and vocal analysis). That's a good idea, but I'd be interested to find out statistics on how many new users have done so before relying on the software and aren't also Tor developers themselves. I'm guessing the number is rather low. I think even a sense of trust in the developers that would come from disclosing some personal information would be valuable. Unless all the other Tor developers who have a relationship with that developer are conspiring together, the information given is likely to at least not be believed to be false by the group as a whole -- and they would know better than the average user. And even if the trustworthiness of the information were assumed to be low, it gives users the sense of the personal, and I believe the sense of the personal is necessary in establishing psychological trust, and can help lead to wider adoption and wider financial, development, vocal, and other support for the project. Perhaps put stock photos of innocent-looking types next to each bio (that's a joke). > What if the intrepid Mr.Snowden wanted to work on Tor stuff? There's a > good case for anonymous payments for gpg-signed contributions. That's true. If we know it's Mr. Snowden, that would be good to know, as some may not trust him. His trustworthiness in the public eye was greatly aided by his Hong Kong and Russia on-camera interviews and his story being told by those that met him or who talked to those journalists who had (or have ongoing) relationships with him. Personally, listening to his voice and looking him in the eye helped me judge his character to a significant extent. It took the journalists that worked with him months to trust him enough to meet him or even be bothered with establishing secure communications. However, I think a good case can be made for pseudonymous contributors (I don't know, we may have them now). It supports the philosophy of the project, and allows contributions from those who may not have the safety and freedom to contribute to a project like this publically. Contributions from NSA and CIA employees aren't even necessarily ill-intentioned, although I think it would be best to not have people who might have a conflict of interest in any leadership or critical position in development. I don't think open-source security software developers should be put through the whole politician treatment, but politicians are asked for transparency for the same reason: the public is wresting trust in them. Asa P.S. You may notice; I am not always quick on email responses :)... -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
