The complexities of citing and publishing your source (code)

Dall-E Generated Image from prompt "open source hacker"

While I was walking to the coffee shop that has quickly become my office away from home, I was listening to a fantastic book by Zeynep Tufekci (Twitter and Tear Gas). In the book, which covers protest movements in the context of the social media era, the author talks about disinformation sowing discord as a form of censorship. Essentially, real facts cannot get the air to breath because it is being hogged by conspiracy theories and nonsense.

I started to think about the classic phrase you see on social media nowadays, in part as a result of this phenomenon.


The phrase is meant to ask the poster for the source of their information. I would venture to bet that most of the time these requests are genuinely form people interested in fact checking or getting to the root of a story. It did, however, make me think of a comparison in a different space: open-source software.

In information security, the idea that open-source software is “more secure” by nature of it being open source is kind of a running meme. The idea has some basis in logical reality: because the source is open to the public, anyone can review it for issues. It is technically easier to find a lot of bugs when you have the source code available.

However, the entire argument is based on people actually reviewing the code. This doesn’t happen as often as you would think, and open-source projects still frequently lead to security breaches that could have been found by source code review. There are also some bugs, like logic bugs, that don’t show up as glaringly obvious mistakes in source code. All of the code might be right and safe, but if the running code is put into a specific state in a specific manner, a logical bug could lead to disastrous consequences all the same.

Our media consumption habits are just the same. When papers cite sources, they do so out of a willingness to adhere to a specific set of norms that guide academic or journalistic publishing to allow the reader to double check their work. Most of these papers cannot spend all of their time re-hashing work that has already been done, too, so the source citing is a helpful way to save time on reporting as well.

The same problem applies, though: people have to be willing (and able) to review those sources from an honest perspective. Much work has been done to “prove” that the US election in 2020 was not rigged and was carried out honestly, with sources cited and much to do about proving the matter carried out more transparently than you can honestly expect out of the US government, but an entire feature-length film was still published about the rigging of the election.

The scientific community has worked tirelessly to prove that the various COVID vaccines are safe, with papers from every academic research institution of note with sources cited, i’s dotted and t’s slashed, yet the anti-vax conspiracy community is still loud and proud.

The United States entered a decades-long war in Iraq over bad sourcing, Putin invaded Ukraine and Chechnya with deliberately bad or at least suspect sourcing, and the list goes on and on. It simply isn’t enough to cite sources anymore, even if it is still vital to the few who will actually check over the work of the author.

It’s an issue I still haven’t really figured out a solution for that spans the problem spaces of logic, philosophy, ethics, media literacy and more.