a bit sad that "since for time_points, for for time_duration" grammar rule isn't as well known as it should
when - wenn
if - falls (mnemonic: "Fall" means "case" of which this is the adjective)
Some may not remember BitKeeper being used to maintain the Linux kernel source code and how a discrepancy was found (22 years ago) between that repo and the CVS repo. This kind of led to git and signed commits that we have today, etc.
Here's a short write up: https://blog.citp.princeton.edu/2013/10/09/the-linux-backdoo...
The Linux foundation, Linux distribution projects and other FOSS organization can issue code signing certs. The infrastructure burden isn't more significant than key servers or git repos. You can trust specific root CA's, there is no need to trust every public/commercial CA. As a result of commercial adaption, PKI has a lot of tooling and support that PGP lacks.
PGP is just so awkward to use. Fetching keys from key servers, googling if you have the right key,etc... a couple of weeks ago one of my Linux VMs on a rolling release wouldn't update packages because of a missing key. I only solved it after finding a stack overflow post suggesting to fetch a specific key.
The PGP ecosystem feels a lot like security theatrics instead of a well designed system that considers real-world threat models. Not that PKI lacks its own problems, but it is far more sturdy, easy to use and has a consistent user experience.
PGP relies too much on its users not making a mistake. A lot of its security properties depend on users carefully fetching the right key or attending key signing parties or whatever shoddy scheme you have to come up with. Anarchy doesn't work well in real life. I implicitly trust the Linux kernel devs as well as the maintainers of my Linux distribution. There is no reason why I shouldn't trust them to issue CA certs and issue code signing certs for ELF binaries, kernel modules and even scripts (powershell does this on windows!). Especially with things like flatpak and vendoring being so popular these days, PKI makes a lot of sense.
Any time I have to install commercial software, I have to add a whole new repo and trust that vendor's PGP keys. Imagine if instead those vendors were required to obtain code signing certs from distros and sign their packages. Actually, package signing is nice and all but the lack of actual well supported executable/script signing is disappointing.
I get the whole modular Unix philosophy around this whole topic. But the FOSS ecosystem has come a long way and pretending dependencies don't exist or that projects live isolated on an island is disconnected from reality.
There are lots of trust issues with open source software due to how hard it is to mange supply chain security. Practical approaches like PKI in my opinion can contribute a lot to the improvement of trust for such projects.
I'm also not sure why a distro would be interested in signing keys for third parties, why isn't said software packaged by the distro?
If you look at Windows, MacOS, Android, iOS, virtually any other mass-adapted OS, the OS provides authentication and integrity services for all packages, including third-party packages and programs.
Providing a framework where developers can attest their software and ensure it is trusted is a bare-minimum expectation for a modern OS.
The Git tracking part isn't an issue, what they should instead do is Git track CA root and intermediate certs and setup a website or workflow where details like the developer, the security checks done, the permissions and privacy implications of the software are attested by the distro and a certificate is issued.
The ideal state is such that all software not developed on that system should not be allowed to run unless its authenticity and integrity are validated and the admin/user signs off on the authenticated properties of the software.
The distro is a compete system, and doesn't care about your third party software (again, why should they), as they already have a system to manage software, if the developer wants to do their own thing, that's a them problem. If you want to install random unpackaged stuff, go ahead, it's your machine (as nearly every OS allows), and if you don't want to run random stuff, don't install it.
Distros should do the same thing but for user space.
Your attitude on the last paragraph is a big pet-peeve of mine. All problems while someone uses a distro are the distro's problem. period. If I have to install third-party software, the distro is allowing me to do that, it is not "my" problem. It is the distros problem in that they should facilitate secure third-party software package installation and management. They already do that by allowing management of third party repos and package signing keys. Saner distros like ubuntu have a whole third party app market place.
It isn't "random stuff" as you put it, it is software like any other that people want to run. The distro's role is to make that happen best they can. Not every package will be in their repo or managed in a repo. things will never be perfect but this attitude of passing the buck to users instead of at least acknowledging the problem is endemic.
Otherwise their roles are what they think their roles are.
jmclnx•9mo ago
Then there is the added complexity of git using SHA1, I do not know if that has been changed yet.
Fun times ahead.
FWIW, I changed my git commit signing to ssh-ed25519 from gnupg about a month ago.
freeopinion•9mo ago
https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/0004...
kpcyrd•9mo ago
But even then, when using ed25519+sha256 to generate a signature, you're still going to do this over a sha1 hash because of the way git works.
arccy•9mo ago