This was largely the reason I rejected "real name verification" ideas at GitHub after the xz attack. (Especially if they are state sponsored) it's not that hard for a dedicated actor (which xz certainly was) to get a quality stolen identity.

The inevitable evolution of such a feature is a button on your repo saying" block all contributors from China, Russia, and N other countries". I personally think that's the antithesis of OSS and therefore couldn't find the value in such a thing.

▲

morkalork 6 hours ago | parent [-]

That would be easily defeated by a VPN. The inevitable evolution would be some kind of in-person attestation of identity backed up with some kind of insurance on the contributor's work, and, well you're converging on the employer-employee relationship then.

	▲	berdario 22 minutes ago \| parent \| next [-]
		"defeated", yes "easily", not so much... As in, services can still detect if you're connecting through a VPN, and if you ever connect directly (because you forgot to enable the VPN), your real location might be detected. And the consequences there might not be "having to refresh the page with the VPN enabled", but instead: "find the whole organisation/project blocked, because of the connection of one contributor" This is why Comaps is using codeberg, after its predecessor (before the fork) project got locked by GitHub https://news.ycombinator.com/item?id=43525395 https://mastodon.social/@organicmaps/114155428924741370 Moreover, this kind of stuff is also the reason I stopped accessing Imgur: - if I try without VPN, imgur stops me, because of the UK's Online Safety Act - if I try with my personal VPN, I get a 403 error every single time I'm sure I could get around it by using a different service (e.g. Mullvad), but imgur is just not important enough for me to bother, so I just stopped accessing it altogether
	▲	hirsin 6 hours ago \| parent \| prev [-]
		Yep, I saw the cat and mouse ending at ever increasingly invasive verifications involving more parties, that could ultimately still be worked around by a state actor. We already get asked for "block access from these country ip ranges please" as a security measure despite it being trivially bypassed, so it is easy to predict a useless but strong demand for blocking users based on their verified country.