Conversation

This Tweet was deleted by the Tweet author. Learn more

Tony "Abolish ICE" Arcieri

@bascule

Nov 26, 2018

Replying to

@DanielMicay

and

@hdevalence

I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user

Tony "Abolish ICE" Arcieri

Replying to

and

...but then there’s this problem to consider: how to handle key rotation

tonyarcieri.com

Key rotation, user experience, and crypto reporting

WhatsApp was the subject of a recent Guardian article making claims of a “backdoor” stemming from a “bug” in the way WhatsApp handles key rotations for users. The problem? WhatsApp will automatically...

Replying to

and

For package signing, automatic rotation based on the old key signing a off on the rotation to a new key works well. Here's an example: source.android.com/security/apksi I don't understand making this out to be so hard when package signing is used at huge scales surprisingly successfully.

Tony "Abolish ICE" Arcieri

Replying to

and

So it wouldn’t have helped for event-stream

Tony "Abolish ICE" Arcieri

Replying to

and

...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯

Replying to

and

I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.

Replying to

and

Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.

Replying to

and

It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.

Tony "Abolish ICE" Arcieri

Replying to

and

The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.

Replying to

and

Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.

12:09 AM · Nov 27, 2018Twitter Web Client

Replying to

and

Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.

Replying to

and

We're not at the point that there are fully reproducible builds across the board and a requirement of having multiple signatures asserting that the build matches the sources. Distributions rarely even verify the sources in the small subset of cases where signatures are available.

Tony "Abolish ICE" Arcieri

Replying to

and

Hey look you’re literally being “that guy” right now

Quote Tweet

Tony "Abolish ICE" Arcieri

@bascule

Nov 26, 2018

People (or should I say "charlatans") in the "crypto" space constantly belittle others with "You don't get..." or "You don't understand..." statements, as if they've undergone some divine awakening others have not experienced. These people are mostly full of shit.

Show this thread

Replying to

and

You're linking in a thread where you've previously made comments like twitter.com/bascule/status. I feel like you've been trying to ridicule everything I've said and I don't understand why.

Quote Tweet

Tony "Abolish ICE" Arcieri

@bascule

Nov 26, 2018

Replying to @bascule @DanielMicay and @hdevalence

...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯

Show replies