It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
Conversation
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Hey look you’re literally being “that guy” right now
Quote Tweet
People (or should I say "charlatans") in the "crypto" space constantly belittle others with "You don't get..." or "You don't understand..." statements, as if they've undergone some divine awakening others have not experienced. These people are mostly full of shit.
Show this thread
1
You're linking in a thread where you've previously made comments like twitter.com/bascule/status. I feel like you've been trying to ridicule everything I've said and I don't understand why.
Quote Tweet
Replying to @bascule @DanielMicay and @hdevalence
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
1
My point in the linked tweet is that everything you're suggesting is, at best, a red herring given the problem at hand. Do you disagree?
1
I made 2 initial comments about the topic (twitter.com/DanielMicay/st) and tacked on one more after I looked into npm and noticed it had no package signing. I didn't intend for that to be directly related to the main issue. I just found it surprisingly they have no package signing.
Quote Tweet
Replying to @hdevalence and @bascule
If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.
1
I was wondering what they had do to hand over control to a different developer. It seems pretty bad if the security of the ecosystem depends on the strength of passwords chosen by people uploading to the site. Then it became an argument about whether package signing is feasible.
1
You were the one wandering off on these many tangents, and making the conversation incredibly difficult to follow, failing to clarify what I got wrong. And all this while pushing a solution I do not consider to be insecure, while belittling me about failing to understand.
1
1
I was replying to your comments and arguing that package signing is completely feasible and can be done with varying tiers of security that are still useful despite lacking perfection. I was frustrated by having my thoughts on that ridiculed / dismissed as clueless.
You are describing a system I do not consider to be secure, and that I would not use, and at the same time being a pompous blowhard about it and wondering why everyone thinks it's such a hard problem when you have failed to solve it.
I am done with this conversation.
1
I don't think that's what I've done. I was arguing that there's nothing infeasible about package signing and simply having TOFU by pinning fingerprints alongside the versions works well. I haven't said building good systems for trust on top of that isn't a hard problem.