I’d actually broaden the concern. Like, having sockpuppet accounts bullying a maintainer is one form of attack, but more-broadly, social engineering is, I think, a real concern.

My understanding is that it’s considered likely that there was a national intelligence agency behind the xz attack. Point is, if they did it once, it’s probably in the toolkit, and will come up again. Not just from them, but from other organizations who will study attacks and see what works.

The problem with being an open-source developer is that you don’t spend your days trying to figure out counters to social engineering attempts. On the other side, you’ve got people who may well be spending a lot of time, reading papers, throwing around theories on just how to best pull this sort of thing off. The result is that one side is a novice, and the other has a lot of expertise and time to create a plan.

And the problem isn’t just how to counter social engineering attempts, but how to do so without being too corrosive to the open-source development community. Like, right now there’s a certain level of reliance on trust. If there isn’t any trust, it’s gonna be harder to do open-source development.

In both the potential F-Droid attack mentioned and at least some of the people with the Jia Tan/xz attack, some sockpuppets were used that had little history. It might increase the cost of an attack to take into account someone’s history. But…then, the Jia Tan attack also had a very considerable amount of effort put into creating a false persona, the one that actually did the commits.