I'm not sure that end-user key management actually does work well for a system that operates at the scale that NPM does. Do you know what the largest deployment of such a package manager is?
Conversation
I don't understand what scale has to do with it. Package signing works fine for many other package managers with a large scale. The basic trust on first use security properties don't require any end user key management or extra work on their part.
1
This Tweet was deleted by the Tweet author. Learn more
I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user
2
...but then there’s this problem to consider: how to handle key rotation
1
1
For package signing, automatic rotation based on the old key signing a off on the rotation to a new key works well. Here's an example:
source.android.com/security/apksi
I don't understand making this out to be so hard when package signing is used at huge scales surprisingly successfully.
1
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
2
1
I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.
1
Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
1
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Show replies