On Tue, 2010-02-02 at 18:39 +0200, Juha Tuomala wrote: > There are around 200 countries and some have quite long distances, > requiring to meet people face to face doesn't really sound very > feasible. Not being feasible doesn't remove the problem however. > > Easier would be to write red warning into wiki that "We actually > don't know who took part of building fedora, so consider yourself > warned." > > Didn't someone just crack berlios site to inject something into > projects? In fedora you don't even need to crack anything, you get > invited to commit. This applies to virtually every software project in the world (with the possible exception of anything developed by the NSA, but then you'd have to trust the NSA when they say 'noooo, we didn't put any secret backdoors in. Doesn't sound like something we'd do.') Proprietary vendors may claim to know everyone who wrote code in their projects, but how would you know they're telling the truth? And how can you trust them to have properly vetted all those people? With single person projects that isn't a problem, but as you so acutely pointed out, you have no way of knowing who that person actually is. Asking these kinds of questions may seem like you're being clever and pointing out scary stuff but in the end it's a bit like pointing out that the universe is, like, huge, man, and nothing we do really, like, matters, you know? Everyone involved knows these things, but it's just a *tad* impossible to do a lot about it, if you're going to get really anal about pointing out the potential problems. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel