Proving to Fable I maintain the repo

rqlite is a lightweight, open-source, distributed relational database built on SQLite and Raft.

After my initial experience with Fable, it got me thinking. I created rqlite, I maintain it. Why won’t Fable help me find and fix bugs in the software? Why does it refuse to identify potential bugs? Because it doesn’t know for sure I am who I say I am.

What we need is a way to prove to Fable I’m the maintainer. After all, I’m not going to hack rqlite, take advantage of deployments. I just want to improve it.  We need a system to prove control of a GitHub repository.

Perhaps the verification flow could work like this:

  1. Identify: Fable reviews the commit history on GitHub to identify the primary maintainers.

  2. Challenge: Fable challenges the maintainer to add a specific verification key to their public GitHub profile or a security file in the repository. This is similar to how you prove domain ownership by adding a DNS TXT record.

  3. Verify: Once Fable detects the key, it verifies the maintainer’s identity and provides them with the full report of potential vulnerabilities.

With a system like this in place, open-source developers could safely collaborate with AI security tools – allowing me to get back to burning tokens and making rqlite more secure.

Leave a Reply

Your email address will not be published. Required fields are marked *