279 lines
14 KiB
Markdown
279 lines
14 KiB
Markdown
---
|
|
title: Contributor Code of Conduct
|
|
sidebar: true
|
|
...
|
|
|
|
# Peace on Earth to all men of good will
|
|
|
|
May you do good and not evil. May you find forgiveness for yourself and
|
|
forgive others. May you share freely, never taking more than you give.
|
|
|
|
# Operational Security
|
|
|
|
A huge problem with software that relates to privacy and/or to money is
|
|
that frequently strange and overcomplicated design decisions are made,
|
|
(passive tense because it is strangely difficult to find who made those
|
|
decisions), decisions whose only apparent utility is to provide paths for
|
|
hostile organizations to exploit subtle, complex, and unobvious security holes.
|
|
|
|
McAffee reported that this is a result of plants - the state plants engineers
|
|
in nominally private organizations to create backdoors. Shortly after he
|
|
reported this he was arrested and murdered by the US government. (To be
|
|
precise he was arrested at the instigation of the US government, and then
|
|
"mysteriously" murdered while in prison. Prison murders remain
|
|
"mysterious" only if carried out by the state.)
|
|
|
|
These holes are often designed so that they can only be utilized efficiently
|
|
by a huge organization with a huge datacentre that collects enormous
|
|
numbers of hashes and enormous amounts of data, and checks enormous
|
|
numbers of hashes against an even more enormous number of potential
|
|
pre-images generated from that data.
|
|
|
|
Another huge problem is that if we get penetrated by enemy shills,
|
|
entryists, and buggers, as the Patriot Front is and the Jan Sixth protestors
|
|
were, we are likely to wind up like the January sixth protestors, who as I
|
|
write this are imprisoned indefinitely being tortured by black guards
|
|
recently imported from the northern part of black Africa, awaiting
|
|
trial with no likelihood of any actual trial for years.
|
|
|
|
Recall that when the Ethereum project began, key contributers were grabbed
|
|
by the FBI on vague trumped charges, held incommunicado, and threatened
|
|
with thirty five years imprisonment and never seeing their children again,
|
|
and since then the Ethereum project has been strangely cooperative with state objectives.
|
|
Satoshi maintained cast iron operational security when Bitcoin was getting started.
|
|
The Ethereum foundation failed to do so,
|
|
with people acting under their own official government names and tax numbers,
|
|
and as result, was nobbled.
|
|
|
|
## No namefags
|
|
|
|
A participant who can be targeted is likely to introduce unobvious security
|
|
flaws into the software architecture. All contributors should make some
|
|
effort to protect themselves against a third party subsequently coercing
|
|
them to use the reputation that they have obtained by contributing to make
|
|
subsequent harmful contributions. For example when Telegram founders visited the
|
|
US, they caught heat.
|
|
|
|
All contributors will use a unique name and avatar for the purpose of
|
|
contributing to this project, and shall not link it to other names of theirs
|
|
that are potentially subject to pressure. In the event of videoconferencing,
|
|
the participants shall wear a mask over the lower part of their face that
|
|
conceals the shape of their mouth and jaw and a rigid hat like a fedora that
|
|
conceals the shape of the upper part their head.
|
|
|
|
Apart from your mouth, the parts of your face that communicate non
|
|
verbal information turn out to be surprisingly useless for identifying
|
|
individuals.
|
|
|
|
If you wear glasses, should not wear your usual glasses, because facial
|
|
recognition software is very good at recognizing glasses, and easily
|
|
distracted, confused, and thrown off by unusual glasses.
|
|
|
|
Even if there are gaping holes in our security, which there will be, and
|
|
even if everyone knows another name of a participant, which they will, no
|
|
need to make the hole even bigger by mentioning it in public. People who lack
|
|
security are likely to result in code that lacks security. They come under
|
|
pressure to introduce an odd architecture for inexplicable reasons. We see
|
|
this happening all the time in cryptographic products.
|
|
|
|
# Code will be cryptographically and pseudonymously signed
|
|
|
|
Everyone participating in the project should have a username unrelated to the name
|
|
and identity that they use for other purposes, and an ssh key that they use signing
|
|
commits to this project, and for no other purpose, separate from any key used for
|
|
signing in to remote machines, and located in the `.git` directory of their local repository
|
|
(not their `.ssh` directory, for public keys in the `.ssh` directory get exposed to
|
|
too many machines, revealing a relationship between nym and network address)
|
|
with the public key also located in the `.gitsigners` file, where it is shared with
|
|
everyone through the upstream repository
|
|
|
|
Note that the file is called `.gitsigners`, not `.gitallowedsigners`,
|
|
`gittrustedsigners` nor `.gitapprovedsigners`. Everyone should sign every commit,
|
|
everyone who submits a pull request or otherwise makes their commits available to others
|
|
should add themselves to the `.gitsigners` file and if their commits are good,
|
|
eventually other people will trust them.
|
|
|
|
When we are truly eating our own dogfood, will not need a `.gitsigners` file, because we will have
|
|
a public ever growing data structure creating a unique append only mapping between
|
|
public keys and arbitrary data.
|
|
|
|
Of necessity, we will rest our developer identities on ssh keys, until we
|
|
can eat our own dogfood and use our own system's cryptographic keys.
|
|
Login identities shall have no password reset, because that is a security
|
|
hole. People should rely on ssh for login.
|
|
|
|
Every pull request should be made using `git request-pull`, (rather than
|
|
some web UI, for the web UI is apt to identify people through the domain
|
|
name system and their login identities.)
|
|
|
|
The start argument of `git request-pull` should correspond to a signed
|
|
commit by the person requested, and the end argument to a signed and
|
|
tagged commit by the person requesting.
|
|
|
|
When creating the tag for a pull request, git drops one into an editor and
|
|
asks one to describe the tag. One should then give a lengthy description of
|
|
one's pull request documenting the changes made.
|
|
|
|
When accepting a pull request, the information provided by the requestor
|
|
through the tag and elsewhere should be duplicated by the acceptor into
|
|
the (possibly quite lengthy) merge message.
|
|
|
|
Thus all changes should be made, explained, and approved by persons
|
|
identified cryptographically, rather than through the domain name system.
|
|
|
|
## setting up automatic git signing of commits
|
|
|
|
Suppose you choose the nym "`gandalf`".
|
|
(First make sure that no one else is using your nym by glancing at the
|
|
`.gitsigners` file, which should be in sorted order, and if it is not,
|
|
run the linux sort command on it)
|
|
|
|
then at the root of your repository
|
|
|
|
```bash
|
|
ssh-keygen -t ed25519 - C gandalf -f .git/gandalf #to create your key pair
|
|
git config user.signingkey .git/gandalf.pub #tell git to use this key pair
|
|
git config user.name gandalf #will be ignored
|
|
git config user.email gandalf@ #fake email will be ignored
|
|
git config include.path ../.gitconfig #sets various defaults, ssh signing among them
|
|
```
|
|
|
|
Then add\
|
|
`gandalf ssh-ed25519 «your-public-key-as-in-gandalf.pub»`\
|
|
to the .gitsigners file to publish your public key to anyone
|
|
who wants to make sure that commits are from the nym that they
|
|
claim to be -- at least claim to be when their commits are
|
|
displayed by the git aliases of `.gitconfig`
|
|
|
|
The nym in `.gitsigners` is the one that matters, though `user.email`
|
|
and `user.name` should be the same or sufficiently related to
|
|
show you are not up to anything funny.
|
|
|
|
# No race, sex, religion, nationality, or sexual preference
|
|
|
|
![On the internet nobody knows you are a dog](../images/nobody_know_you_are_a_dog.webp)
|
|
|
|
Everyone shall be white, male, heterosexual, and vaguely Christian, even
|
|
if they quite obviously are not, but no one shall unnecessarily and
|
|
irrelevantly reveal their actual race, sex, religion, or political orientation.
|
|
|
|
Unnecessarily informing people one is female or Jewish or nonwhite
|
|
should get similar treatment to unnecessarily informing people one is a
|
|
pure blooded Aryan.
|
|
|
|
All faiths shall be referred to respectfully. Even if they happen to be
|
|
making war on us, this software may not be very relevant to that kind of
|
|
warfare, in which case that discussion can be held elsewhere.
|
|
|
|
All sovereigns shall be referred to respectfully, if they are referred to at all,
|
|
which they should not be. If this software is likely to frustrate their
|
|
objectives, or even contribute to their overthrow, no need to make it
|
|
personal, no need to trigger our enemies. War will come to us soon
|
|
enough, no need to go looking for it.
|
|
|
|
# No preaching supererogation
|
|
|
|
Status must be on the basis of code, good code, and clever code, not on
|
|
cheap claims of superior virtue.
|
|
|
|
When someone plays the holier than thou card, he does not intend to share
|
|
what we are sharing. Out of envy and covetousness, he intends to deny us
|
|
what we are sharing, to deny us that which is ours.
|
|
|
|
If he is holier than we are, he not only wants what we have, which we will
|
|
gladly share. He wants us to not have what we have.
|
|
|
|
Christians are required to turn the other cheek, and people attempting to
|
|
maintain a politically neutral environment need to turn the other cheek.
|
|
But you very quickly run out of cheeks, and then it is on. You cannot be
|
|
politically neutral when the other guy is not being neutral. You have to
|
|
bring a gun to a gunfight and a faith to a holy war. People who start
|
|
politics in an environment intended to be politically neutral have to be
|
|
purged, and a purge cannot be conducted in a politically neutral manner.
|
|
You have to target the enemy faith and purge it as the demon worshiping
|
|
heresy that it is, or else those attempting to maintain political neutrality
|
|
will themselves be purged as heretics, as happened to the Open Source and
|
|
Free Software movements. You may not be interested in war, but war is
|
|
interested in you.
|
|
|
|
We want to maintain a politically, racially, religiously, and ethnically
|
|
neutral environment, but it takes two to tango. You cannot maintain a
|
|
politically neutral environment in a space where an enemy faction wants
|
|
their politics to rule. Neutrality cannot actually be neutral. It merely means
|
|
that the quietly ruling faction is quiet, tolerant of its opponents, and does
|
|
not demand affirmations of faith. If an enemy faith wants to take over,
|
|
the ruling faith can no longer be quiet and tolerant of that opponent.
|
|
|
|
## No claims of doing good to random unknown beneficiaries
|
|
|
|
We are doing this for ourselves, our friends, our kin, and our posterity, not
|
|
for strangers a thousand miles away, and we only care about strangers a
|
|
thousand miles away to the extent that they are likely to enable us to make
|
|
money by making them secure.
|
|
|
|
If someone mentions the troubles of people a thousand miles away, it
|
|
should only be in the frame that we will likely have similar troubles soon
|
|
enough, or that those people a thousand miles away, of a different race,
|
|
religion, and language, could use our product to their, and our, mutual
|
|
advantage, not because he cares deeply for the welfare of far away
|
|
strangers that he has never met in places he could not find on a map.
|
|
|
|
## No victim classes, no identity politics, and no globalism
|
|
|
|
The Open Source and Free Software movements were destroyed by
|
|
official victimhood. Status and leadership must be on the basis of code,
|
|
good code, and clever code, not on cheap claims of superior oppression.
|
|
|
|
The experience of the Open Source and Free Software movement
|
|
demonstrates that if victimhood is high status, code and code quality must
|
|
be low status. If victimhood is high status then “you did not build that”.
|
|
Rather, if victimhood is high status, then good code, silicon fabs, and
|
|
rockets spontaneously emerged from the fertile soil of sub-Saharan Africa,
|
|
and was stolen by white male rapists from the brave and stunning black
|
|
warrior women of sub-Saharan Africa, and social justice demands that the
|
|
courageous advocate for the brave and stunning black warrior women of
|
|
sub-Saharan Africa takes what you have, what you gladly would share,
|
|
away from you.
|
|
|
|
Unless, when a female contributor unnecessarily and irrelevantly informs
|
|
everyone she is female, she is told that she is seeking special treatment on
|
|
account of sex, and is not going to get it, no organization or group that
|
|
attempts to develop software is going to survive. Linux is a dead man walking.
|
|
|
|
# Style
|
|
|
|
`.gitconfig` adds several git aliases:
|
|
|
|
1. `git utcmt` to do a commit without recording your timezone in the git history
|
|
1. `git lg` to display the .gitsigner trust information for the last few commits.
|
|
1. `git graph` to graph the commit tree with signing status
|
|
1. `git alias` to display the git aliases.
|
|
|
|
We ignore the Gpg Web of Trust model, and instead use the Zooko
|
|
identity model.
|
|
|
|
We use ssh signatures to verify that remote repository code
|
|
is coming from an unchanging entity, not for Gpg Web of Trust. Web
|
|
of Trust is too complicated and too user hostile to be workable or safe.
|
|
No one ever used it in the intended manner.
|
|
|
|
The web of trust model was written around email, to protect against physhing and
|
|
spearphysh attacks. And who uses email for discussions and coordination these days?
|
|
That was useful in back in the days when when everything important was happening
|
|
on mailing lists like the cypherpunks mailing list. But even back in the day
|
|
the web of trust model had too many moving parts to be very useful. In
|
|
practice people only used Zooko identity, and Web of Trust was a cloud
|
|
of confusing complexity and user hostile interface on top of Zooko identity.
|
|
What gpg identity is primarily used for in practice is to make sure you
|
|
are getting the latest release from the same repository managed by the same person as
|
|
you got the previous release - which is Zooko identity, not Web of Trust
|
|
identity, and has no real relationship to email. Zooko identity is about
|
|
constancy of identity, Web of Trust is about rightful use of email
|
|
addresses. Web of trust was a true names mechanism, and today no one
|
|
speaks the truth under their true name.
|
|
|
|
Web of trust was designed for a high trust society - but in a high trust
|
|
society you don't need it, and in a low trust society, the name servers were
|
|
too vulnerable to enemy action, and died, leaving the Web of Trust user
|
|
interface in every installed copy of gpg a useless obstacle.
|