This is a continuation of my thoughs on privacy for free software developers. In particular, I have given some thought on trusting code from anonymous developers.

My conclusion is that it’s really no different from trusting code by developers whose identity you know: it all depends.

The main reason it is useful to know the identity of a developer is for blame and punishment.

If the code is wrong, you know whom to blame for the bug. It does not prevent the bug, and it does not help get the bug fixed, except indirectly: the person who is blamed for it has an additional incentive for fixing it. It is good for their reputation if they fix their bugs. However, a reputation does not require knowing someone’s real identity: the important thing is that the reputation belongs to someone, not that you know the government-registered name of that person.

If the code is actively hostile or distributed illegally, you need to know their identity so you can find them and punish them. For this, knowing the identity is needed, but it is a folly to assume you know it unless you verify it, and I don’t think the free software development community can work if everyone’s identity needs to be strongly verified all the time. Thus, in practice, you don’t know the author’s identity until you verify it, and there’s no point in verifying it until and unless there’s a particular need to do so.

Thus, I don’t think it should be necessary to know the identity of the author of some code to be able to trust it. It should be possible for a completely anonymous person to participate in free software development.

These are my conclusions. I have a further one: I doubt this will matter to most projects or most people. The assumption that knowing someone’s name is necessary for trusting them is strongly ingrained in the way people think.