Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
Conversation
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
1
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
2
I will take a central builder/signer over a bunch of TOFU signing keys for signing random binary blobs who knows built who knows how on who knows what, thank you very much
2
Mystery binaries, signed by random keys. But it’s secure, because TOFU.
1
You’re arguing 15 different points at once in an incredibly incoherent manner while spouting insults.
2
Instead of saying shit like this, if you want to have a productive conversation, provide clarafications? This is just negging.
Quote Tweet
Replying to @bascule and @hdevalence
I never said that.
1
I don't know what else to say beyond that I didn't say that. I don't understand why you're mad at me. I've been trying my best to clarify what I said initially and I wasn't trying to turn it into something hostile.
Here is what you said:
Quote Tweet
Replying to @DanielMicay @bascule and @hdevalence
Developers build and sign the binary packages with their own keys. They're responsible for the security of their packages. The package manager trusts packages signed by a packager with at least 3/5 signatures from the master keys on their personal package signing key.
2
It appears you wanted to clarify how the PKI worked, because I was unclear about how the PKI worked, because at the same time you were also making an unrelated argument about TOFU. But instead of saying what was incorrect, you just negged.
1
Show replies