Conversation

This Tweet was deleted by the Tweet author. Learn more
Replying to and
I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user
2
Replying to and
I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.
1
Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
1
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
1
Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
2
We're not at the point that there are fully reproducible builds across the board and a requirement of having multiple signatures asserting that the build matches the sources. Distributions rarely even verify the sources in the small subset of cases where signatures are available.
Replying to and
You're linking in a thread where you've previously made comments like twitter.com/bascule/status. I feel like you've been trying to ridicule everything I've said and I don't understand why.
Quote Tweet
Replying to @bascule @DanielMicay and @hdevalence
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
1
Show replies