Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
Conversation
I will take a central builder/signer over a bunch of TOFU signing keys for signing random binary blobs who knows built who knows how on who knows what, thank you very much
2
Mystery binaries, signed by random keys. But it’s secure, because TOFU.
1
You’re arguing 15 different points at once in an incredibly incoherent manner while spouting insults.
2
Instead of saying shit like this, if you want to have a productive conversation, provide clarafications? This is just negging.
Quote Tweet
Replying to @bascule and @hdevalence
I never said that.
1
I don't know what else to say beyond that I didn't say that. I don't understand why you're mad at me. I've been trying my best to clarify what I said initially and I wasn't trying to turn it into something hostile.
1
Here is what you said:
Quote Tweet
Replying to @DanielMicay @bascule and @hdevalence
Developers build and sign the binary packages with their own keys. They're responsible for the security of their packages. The package manager trusts packages signed by a packager with at least 3/5 signatures from the master keys on their personal package signing key.
2
It appears you wanted to clarify how the PKI worked, because I was unclear about how the PKI worked, because at the same time you were also making an unrelated argument about TOFU. But instead of saying what was incorrect, you just negged.
1
I don't know what negged means in this context. I was trying to present 2 counterexamples to package signing done via centralized servers. Until recently, all Android apps were signed with developer keys (vast majority still are) and there are distributions not centralizing it.
2
Part of my point was that these are imperfect systems without fancy things like reproducible builds + multisig, but yet they're still very useful and a lot better than the alternative of not having package signing. Even just having TOFU via the lock files would be quite useful.
I was curious about what exactly the old developer had to do in order to hand off control and was surprised by there not being a mechanism for even doing TOFU pinning. I thought they'd have had to hand over a key, but it's mostly just a username/password protecting each package.
1
I didn't mean to get into an argument about this and make you upset. This doesn't work well as a medium for having a productive conversation. It's hard to follow the threads and it comes across as way more adversarial than intended. I didn't notice that it was becoming hostile.