I wrote this article up, but at the last minute decided not to post it. Maybe I'm just afraid, but I wonder if it's too flame-prone to put on the front page. If you think otherwise, mail me at email@example.com and tell me otherwise, and I'll consider posting it.
Meta: Abused trust?
Lots of recent diary entries (disclosure: including one of mine) are highlighting the feeling that our web of trust is growing in a disturbing direction: away from its original intent to allow folks to certify fellow free software developers, and instead turning into a hyperlinked old boys network.
NOTE: There are those of you who may think this article is very unfriendly, maybe trolling, or perhaps even elitist. Consider this a free pass -- you don't have to read it. Then again, you might want to, and voice your opinion in opposition. I welcome that.
Without going back and highlighting any particular diarists' entries, I think there's a feeling that there's both overcertification going on and certification where there really shouldn't be any. Folks are getting marked up because they know someone else, while their pages mention no involvement whatsoever in contributions to free software projects. I want to believe that these folks just haven't put their contributions up, maybe out of forgetfulness, maybe out of self-deprecation. Unfortunately, there are several who state they're working entirely in proprietary circles; they may use free software tools, but that doesn't make them a free software contributor. Perhaps an apprentice, in some cases, but I'd say they would at least have to have a desire to contribute first. I don't feel anyone who doesn't at least work on one coherent free software project (contributing code or at least infrastructure) should be more than an apprentice, ever.
I'm an apprentice. I don't deserve to be anything more at this time, no matter how brilliant someone may think a piece of code I've written is (and I sure as heck can't think of any code I've written that even approaches brilliant right now). I've contributed bugfixes to various projects and I do some work with the OpenBSD ports tree, but I'm still learning.
This sort of thing makes we wonder about the web of trust concept in general. When passing around of trust happens liberally, and apparently without much thought, the web breaks. A common security axiom is "a secure system is only as good as its weakest link", and that applies to the web of trust in security circles as well. I submit that it also applies here.
When I first started writing this, I thought perhaps it might generate some useful discussion, but maybe I'm too rooted in Slashdot and Usenet flamefests to believe that. Again, if folks think I should post it, let me know; but I'll just leave it here instead.