top | item 44183789

(no title)

eamann | 9 months ago

It's a bit disappointing that a seemingly official project isn't using commit signing for verification and non-repudiation. It's open source, great! But it's also pretty massive (i.e. hard to review everything) and the chance of a bad actor sticking code in something so critical as tax filings.

discuss

deepsun|9 months ago

Kinda. Since it's Public Domain, there's little to no use in signing the code, because they explicitly forfeited any rights to it.

Public Domain means you can legally take their code, riddle it with malware, and distribute, claiming that's the real and true Direct File source code, and you are its author. What you do with malware is a different legal issue of course.

So I'm not sure proving you are commit owner by signing it is really helpful if anyone can do it as well, and there's no copyright holder to decide who's right.

justinrubek|9 months ago

Copyright doesn't have anything to do with it, even remotely. I don't care who owns it or who claims to own it. But it may be useful to verify that the commit came from the government.

pfg_|9 months ago

You don't know what they used internally. There are two commits on github which just dump the code from whatever they used for version control for the past two years, and no further development will take place.

dylan604|9 months ago

what could it really do though? any discrepancies will just be settled in an audit. of course, you are providing name, address, SSN, bank account info, but what malevolent entity doesn't already have that data about you anyways? besides, trust us, we're the government is good enough already! /s