...but then there’s this problem to consider: how to handle key rotation
1
1
Conversation
For package signing, automatic rotation based on the old key signing a off on the rotation to a new key works well. Here's an example:
source.android.com/security/apksi
I don't understand making this out to be so hard when package signing is used at huge scales surprisingly successfully.
1
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
2
1
I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.
1
Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
1
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
1
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Hey look you’re literally being “that guy” right now
Quote Tweet
People (or should I say "charlatans") in the "crypto" space constantly belittle others with "You don't get..." or "You don't understand..." statements, as if they've undergone some divine awakening others have not experienced. These people are mostly full of shit.
Show this thread
1
You're linking in a thread where you've previously made comments like twitter.com/bascule/status. I feel like you've been trying to ridicule everything I've said and I don't understand why.
Quote Tweet
Replying to @bascule @DanielMicay and @hdevalence
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
My point in the linked tweet is that everything you're suggesting is, at best, a red herring given the problem at hand. Do you disagree?
1
I made 2 initial comments about the topic (twitter.com/DanielMicay/st) and tacked on one more after I looked into npm and noticed it had no package signing. I didn't intend for that to be directly related to the main issue. I just found it surprisingly they have no package signing.
Quote Tweet
Replying to @hdevalence and @bascule
If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.
1
Show replies