[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Jacob Lifshay programmerjake at gmail.com
Tue Aug 27 11:16:21 BST 2019 

On Tue, Aug 27, 2019, 02:59 Luke Kenneth Casson Leighton <lkcl at lkcl.net>
wrote:

> On Tue, Aug 27, 2019 at 10:47 AM Luke Kenneth Casson Leighton
> <lkcl at lkcl.net> wrote:
>
> > doing something as stupid as letting other people have access to a
> > private key, when that person *specifically* went to the trouble of
> > showing GOVERNMENT ID, not just once but multiple times, is... i mean,
> > the thought of someone being happy with the consequences of sharing
> > their private key after going through such an identity-proof
> > procedure, they would actually have to be seriously mentally ill.
>
> ... or be coerced.  there was a russian debian developer who was
> arrested for the crimes committed by someone using the tor exit node
> that the developer happened to be running from his home.
>
> there was absolutely no way that the debian team could know if his key
> (and passphrase and/or smartcard) had been compromised.
>
> so the debian-keyring package had to have an emergency update pushed
> to security/updates, in order to revoke his GPG key.
>
> in addition, all the packages that he'd been responsible for had to
> have emergency debian-point-releases done (at the exact same time)
> because otherwise people would download a package only to find that
> the GPG key with which the package had been signed had been revoked.
>
> crev - by having the developer be the sole exclusive single source of
> not only the signing-key but also the repo *as well*, is vulnerable to
> having someone be bribed, kidnapped, arrested, or even murdered.
>
> by having a 2-step (or 3-step) process, someone else within the
> "web-of-trust" can keep an eye on you and take over the package, if
> needs be.
>

crev isn't designed for code signing, it's designed for code reviews, which
are essentially a statement by the review signer that the code looked
good/bad/so-so to them combined with how deep of a review they did and how
well they think they understood the code along with the needed crypto to
make sure the code you have is the same code they reviewed. crev doesn't
support any more than that. the idea is that downstream users would combine
several peoples reviews as a way to help them know that the code isn't
malicious.

because a single code review is not usually sufficient to declare a package
to be valid, the security properties are quite a bit different than for
code signing.

>
> these are the kinds of things that yes, a good package distribution
> system *actually* takes into account, and mitigates.
>
> l.
>
> _______________________________________________
> libre-riscv-dev mailing list
> libre-riscv-dev at lists.libre-riscv.org
> http://lists.libre-riscv.org/mailman/listinfo/libre-riscv-dev
>

More information about the libre-riscv-dev mailing list