So it wouldn’t have helped for event-stream
Conversation
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
2
1
I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.
1
Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
1
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
1
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
2
I will take a central builder/signer over a bunch of TOFU signing keys for signing random binary blobs who knows built who knows how on who knows what, thank you very much
2
I never said Arch Linux used TOFU signing keys or that it's unknown who built what and who is trusted.
1
I said that TOFU is better than not providing any form of package signing at all, and works well for the systems having a lock file with package ids and versions since they can pin the key fingerprints alongside the version. It allows people to do better than TOFU too.