Code is More Important than Identity for Security
Asking open source contributors to prove their legal identity doesn’t make software more secure.
Michael Lieberman
Ben Cotton
May 14, 2025
Recently, we’ve seen a lot of conversations about coming up with ways to tie open source contributors to a known identity. Analogies are drawn to the “know your customer” requirements for banks or the TSA PreCheck program for expedited security screening at U.S. airports. These conversations are typically framed as a way of improving the trust in open source software. If you know who someone is, their background, etc, you can be more confident that they’re not doing bad things. The intent is good, but it’s the wrong approach for open source.
What’s in it for me?
The PreCheck analogy falls apart because there’s no benefit to developers for participating in such a program. While there are legitimate criticisms of PreCheck, travelers participate because it has value to them. People who participate in PreCheck do so because they think the (often) shorter wait times and relaxed screening requirements are worth $80 every five years. It’s a mutually beneficial arrangement.
What’s the benefit for a volunteer open source maintainer in this scenario? Making it easier for a company to use their project doesn’t necessarily provide a tangible benefit to them. In fact, it may even add burden if the company starts filing bug reports and feature requests. “Give a company private information and in exchange you get extra work to do in your free time” sounds like a rotten deal. Not to mention the fact that people may have valid reasons for using a pseudonym. “Real name” policies are generally discouraged for open source projects.
Code, not identity
Even if there’s an inducement for developers to participate, such as gift cards or complimentary subscriptions, identity isn’t the solution to the problem. Knowing the identity of the person who wrote the code doesn’t make the code good. And if “Jia Tan,” the person or people behind the xz_utils backdoor, is a nation-state actor, there’s little doubt that they could have produced sufficient identity documentation to satisfy a “know your developer” program.
In open source, we don’t need to use identity as a proxy of code quality; we have the code itself. If the software does what it’s supposed to do, it doesn’t matter if the code was written by Jane S. Wellknown or TaYlOrFaN13. As we described in an earlier blog post, there’s an entire ecosystem of tools that can help organizations use open source software more securely. None of them require a volunteer to disclose their legal identity.
Of course, there are times when identity might matter. Export control law and sanctions may preclude people from a particular country or organization participating in an open source project. Even then, the concern is complying with laws around economic interactions, not code quality.
Most open source licenses explicitly disclaim any fitness for purpose. The software is provided as-is. This means the burden is on the consumer to make sure it meets their requirements, including security requirements. It’s unreasonable for companies to put the burden on volunteers. The Kusari Platform can help organizations consume open source software more securely by aggregating information about their software supply chain and providing actionable insights.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?