upvote

points

by cogman107 hours ago |
comments
upvoteby KronisLV6 hours ago|
next
[-]
> What proof do I give them and how does it tie back to my email?

Presumably your ID so that feds may pay you a visit when they feel like it, your email need not apply.

I’m surprised that there’s even enough pushback against ID verification to matter, all the corpos are probably salivating at the idea of having fully accurate profiles of everyone, think of the ad and product targeting. The govt. would also love that, for different reasons.

reply
upvoteby wholinator26 hours ago|
parent|
next
[-]
I'd honestly much rather give my ID to a Chinese model than an American one. If the American ones start requesting ID I'm out. I'm on a gemini organizational account right now that gives me pro but is directly tied to my organizational SSO. So that's something already. I just refuse to upload my face and drivers license anywhere ever.
reply
upvoteby cbg06 hours ago|
parent|
prev|
[-]
How will the "feds" pay you a visit in Albania or China?
reply
upvoteby KronisLV6 hours ago|
parent|
next
[-]
Simple - you wouldn’t be given access to those models, and probably all VPN access would be blocked too. Since this is a hypothetical, throw in a social credit score as well to require a proven “track record”, but maybe that’s too exaggerated (although credit scores already exist for different purposes).

It’s not too hard to imagine a future where you can only use certain things only with the govt. mandated spyware installed - bank apps already often don’t work on rooted Android phones (and you’re expected to use those apps to confirm payments) and all sorts of certification exam software is basically that already if you take a test remotely.

It follows that the same principle would just get pushed further, like what Discord wanted to do etc. Same with how Apple requires your documents for a developer account, Hetzner for a hosting account or Twitch for getting paid by them and tax stuff.

reply
upvoteby ceejayoz6 hours ago|
parent|
prev|
[-]
In the dystopian direction, exit visa requirements for people with access? Families back home as hostages like North Korea does?
reply
upvoteby NiloCK7 hours ago|
prev|
next
[-]
This is a credentials and access list oAuth style problem, and not really intractable.

For package X, I should be able to present my npm (homebrew, apt, nuget, etc) credentials with publishing rights for the package.

If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.

Yes, we still are trusting trust, that the owner of the package itself is not malicious, but that's not a sharp degradation from status quo.

reply
upvoteby Retr0id6 hours ago|
parent|
next
[-]
This is not tractable, because there is nothing stopping me from copy-pasting someone else's project into my own namespace. Under most OSS licenses I have express permission to do so.

If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.

Finally, the meatspace status quo is that it is totally acceptable to pay someone to find security bugs in someone else's open-source software, such as the Linux kernel.

reply
upvoteby cogman106 hours ago|
parent|
next
[-]
> If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.

Even if you don't, a lot of source code can be legitimately copied thanks to the GPL/MIT/BSD/etc. I'm allowed to take all of zlib and integrate it into my own project if I so chose.

reply
upvoteby Retr0id6 hours ago|
parent|
[-]
Yup, I just added something to that effect, sorry if my edit arrived after you replied.
reply
upvoteby NiloCK4 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby sophrosyne426 hours ago|
parent|
prev|
next
[-]
You are talking about creating a big moat, which might be a worse precedent than removing fable access altogether.
reply
upvoteby Yossarrian226 hours ago|
parent|
prev|
[-]
And what if I’m a crazy person and want to fork the Linux kernel as I’m legally allowed to do?
reply
upvoteby NiloCK4 hours ago|
parent|
next
[-]
> If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.

Your private fork doesn't meet the conditions described.

reply
upvoteby cogman106 hours ago|
parent|
prev|
[-]
Not just allowed to do, encouraged to do as part of legitimate development.
reply
upvoteby _fizz_buzz_7 hours ago|
prev|
[-]
> How does anthropic know my "kernel" project isn't a personal toy and not the Linux kernel?

The Linux Kernel is in its training data. I just tested it. I copied about 20 random lines from the linux kernel and asked which codebase this was from and it could immediately tell.

reply
upvoteby cogman107 hours ago|
parent|
[-]
The Linux kernel is also in the free bsd project. I'm allowed to copy as little or as much of the kernel as I like into my personal project thanks to the GPL.

Being able to attribute the source of a line of code doesn't help you to know if a repository can be legitimately hacked on.

As you could imagine, I might just take all or part of the Linux USB stack from the kernel to retrofit it into my own kernel.

reply