Osmose

I make websites and chiptunes!

  • he/him

AKAs:
Lapsed Neurotypical
JavaScript's Strongest Warrior
Fake Podcast Host
Thotleader
Vertically Integrated Boyfriend
Your Fave's Mutual
Certified 5x Severals by the RIAA
Inconsistently Medicated
The Source That Views Back
Carnally Known
The Alternative


Homepage
osmose.ceo/

ireneista
@ireneista

The official post-Cohost permanent URL for this piece is https://irenes.space/leaves/2024-09-29-xz-and-community

so these thoughts are only partially formed, but... well, we just managed to get them out in conversation elsewhere so we thought perhaps we'd share them here. it's a bit rougher than many things we write about, so let us know how much sense it makes...

so. a few years ago somebody we respect told us we were wrong to use the word "community" for things as large and amorphous as, say, "the FOSS community". they told us that it only counts as a community if the people are invested in each other, if people KNOW each other and care about each other.

we've taken that to heart, and worked hard to be clear when we're identifying a group that is actually a community, vs. one that isn't. because as much as we might wish the free software movement to be a community, that doesn't happen by saying the word and hoping it'll conjure community into existence. it happens by people doing the work of learning to talk to and care about each other.

when we talk about, say, the queer techie community, we feel entirely safe in using that word. that's because every time we walk into a room with ten random queer techies, we already know three of them. the social connections are dense enough, and at the personal level they are meaningful enough - real friendships, people who'd fight together for survival if we had to, because of our common history.

it may sound idealistic or impossible, but essentially... regarding threats such as what we saw with xz yesterday, our proposal to mitigate them is to focus not just on the material need for code review, but on making that social graph more tightly connected, so that individual maintainers can have not just the financial or operational support they need, but the EMOTIONAL support.

if this sounds like a weird tangent, keep in mind that part of the story that came to a head yesterday was that the attacker used sockpuppets to essentially bully the project owner into adding a malicious maintainer. see the documentation collected at [1].

the bullying and manipulation tactics worked because those behaviors are rampant in the larger FOSS social space.

FOSS as a whole may be too large to change - it includes people who are doing this stuff for vastly different reasons, including profit. we think that's too broad an umbrella, we don't know how to rally that whole crowd. if you do, great, please go for it, but personally we're trying to rally under the banner of free software, which is a smaller umbrella of people who are doing this for fundamentally ideological reasons.

what those reasons are differs substantially, but... we're very proactive-death-of-the-author about this. the FSF has failed to provide ideological leadership due to RMS's top-down style, but many of the ideals are good ones and it's the job of the current generation to renew the movement if we want our children to be able to enjoy its fruits the way we did.

if we form a nucleus of people who are invested in each other and let that investment also mean checking in on each others' projects and stuff from time to time, well... communities are the terrain that movements happen on top of. we would never, ever make a community subordinate to a movement, community has to be its own thing, for no purpose but itself. but we do think that building community is a very powerful action to take, in the long run.

none of the supply chain security proposals we've heard seem like they would have actually prevented the xz attack. for all its idealism and for all the problems it glosses over, we do think our proposal could have.

[1] https://boehs.org/node/everything-i-know-about-the-xz-backdoor


You must log in to comment.

in reply to @ireneista's post:

Killer post as usual

This makes me think about jezdez founding the Jazzband which, in light of xz, isn't necessarily the most secure collective setup, but I think is worth examining.

Random thoughts while I'm working through your ideas on free software communities:

  • They should be numerous and would probably have different cultures
  • By extension, different expectations and practices around security
  • Which means a filtering of corporate support based on their usefulness to companies. This feels bad emotionally a little? But might be fine?
  • Ultimately the burden is still on library consumers to validate to their desired confidence levels.
  • Which means communities act as indirection against supply chain identity requirements
  • Even if the security story isn't much changed the emotional and labor support story is greatly improved
  • Alan Kay is still right about untrusted computing being one of the most important things to improve—preventing RCE is not nearly as useful as making RCEs less dangerous.
  • e.g. making all user data one-time use, have the post office grant tokens that can route packages without revealing the recipient until it is in the post offcie's hands, etc.

that all sounds about right to us :) thank you very much for the kind words! we seem to have used up all our thoughts on this topic for now, so we don't have much to add but we really appreciate the level of detail you're responding with, it's very much the direction we hope people think in

I agree, for what that's worth. There's a whole raft of problems on this similar theme: The value lying in permission to fork and not in diverse participants, the disinterest in enforcement, the constant fighting of the "last war," the lack of support for targets of powerful people, and probably much more. I'd love to see a grassroots version of these organizations that actually has a vision other than "people do what we want."

it only counts as a community if the people are invested in each other, if people KNOW each other and care about each other.

I agree with this!! I often try to use alternative words for FOSS stuff instead of "the FLOSS community" or "The Python community", instead using terms like "the open source industry" or "the Python ecology" or "the open source constituencies" or "Python audiences" as appropriate.

I'll quote from an older post of mine:

So far, in this post, I've said "message board", "website", "group", "users", "participants"; you may have noticed that I have not yet used the word "community." I am trying to be careful about how I use that word, because I think it subsumes some important assumptions.... RC cofounder Nick Bergson-Shilcock wrote, "Having a genuine community requires that people know the other people around them, and that everyone shares some fundamental values and purpose." I agree. (I'd also say that a genuine community also has to have some kind of systematic way for the membership as a whole to affect/veto decisions that will affect them...)

I recently ran into David Gurteen's definition, "A community is a group of people who share things in common, who work together towards a common purpose which they care about and who care deeply about each other." I am not ready to buy into Gurteen's thinking, given that Gurteen believes it is not possible to have a real conversation in text, only face-to-face and maybe via telephone/videocall, and I figure that definitions of community and of conversation are pretty connected.

so. a few years ago somebody we respect told us we were wrong to use the word "community" for things as large and amorphous as, say, "the FOSS community". they told us that it only counts as a community if the people are invested in each other, if people KNOW each other and care about each other.

see, that first half is why I call it a community. you dont get to pick it, it's there, warts and all. imo communities where mutual investment is common is like... new, in many ways, think about if it was a physically proximate thing instead of online.

I don't disagree with your post tbc, I just think that's a thing worth chewing on.

because the community you and a lot of other people seem to describe by clamping it to this is like, kinda analogous to a vanguard.

As always, I appreciate your post. I think you're correct about the need for community. You can't build something real without a social bond behind it.

Personally, I'm hoping to find a good community over time.