I don't mean to be a killjoy but "vouching for trusted people" is not a scalable way to build a software ecosystem.
-
I don't mean to be a killjoy but "vouching for trusted people" is not a scalable way to build a software ecosystem. I was there, I ran signing parties, I was a CAcert assurer, I've got a strong-set GPG key in a hardware token, none of it worked beyond the most fringe of the fringe dorks. You get a few ossified relationships between major public figures and a small ring of friends around each, and then your permissions are effectively locked down forever. Do you want to live in the world where you need to have a million followers to launch a new framework?
The ecosystem we've all been building in and on top of for decades is so deeply permeated by "assume good intent" at all levels that I'm not sure people are ready for the velocity reduction that is coming after the next few claw-based JiaTans. The first one will be an oddity, but eventually we're going to have to grapple with buying huge vertically integrated dev stacks from Trusted Vendors
or we make everything from scratch again.By all means invest in lifecycle security tools, BOMs are nice and package signature checks keep out the simple attacks. But they don't solve the deep social issue of mass collaboration at a planetary scale seems to be beyond the capabilities of our fragile brains. We are too easily taken in by things which appear to be a person which shares our values. Modern open-source leadership is effective a mental DDoS, and if that breaks down then what is going to replace it? If you think the AI coding models are advancing so well that we'll all soon just be coding via prompts alone then okay, I strongly disagree but that's at least a consistent world view. If not, genuinely where do we go from here. Having a thousand little webs-of-trust is not functionally better than having a million random "people", and that's being extremely generous on the scale of those webs.
I don't care if Dunbar's Number is real or what the value is but the slippery slope has slid, whatever the limit we are over it.
-
I don't mean to be a killjoy but "vouching for trusted people" is not a scalable way to build a software ecosystem. I was there, I ran signing parties, I was a CAcert assurer, I've got a strong-set GPG key in a hardware token, none of it worked beyond the most fringe of the fringe dorks. You get a few ossified relationships between major public figures and a small ring of friends around each, and then your permissions are effectively locked down forever. Do you want to live in the world where you need to have a million followers to launch a new framework?
The ecosystem we've all been building in and on top of for decades is so deeply permeated by "assume good intent" at all levels that I'm not sure people are ready for the velocity reduction that is coming after the next few claw-based JiaTans. The first one will be an oddity, but eventually we're going to have to grapple with buying huge vertically integrated dev stacks from Trusted Vendors
or we make everything from scratch again.@coderanger I do have what I think is a viable model for this, but piggybacking on SSI that you first build out relationships on for social networking, like a truly decentralized, instanceless version of the fediverse.
As for the immediate problem, we pin back and plan to phase out whatever dependencies are accepting slop.
-
I don't mean to be a killjoy but "vouching for trusted people" is not a scalable way to build a software ecosystem. I was there, I ran signing parties, I was a CAcert assurer, I've got a strong-set GPG key in a hardware token, none of it worked beyond the most fringe of the fringe dorks. You get a few ossified relationships between major public figures and a small ring of friends around each, and then your permissions are effectively locked down forever. Do you want to live in the world where you need to have a million followers to launch a new framework?
The ecosystem we've all been building in and on top of for decades is so deeply permeated by "assume good intent" at all levels that I'm not sure people are ready for the velocity reduction that is coming after the next few claw-based JiaTans. The first one will be an oddity, but eventually we're going to have to grapple with buying huge vertically integrated dev stacks from Trusted Vendors
or we make everything from scratch again.@coderanger I've been thinking for a while now that it might be worth taking another shot at the web-of-trust. Long term, I think it's the only way forwards, but I agree unless it's dead simple to use it'll be impossible to hit critical mass. I think there will need to be some compromises on the theoretical security (TOFU vs key signing parties? verifying social media handles vs verifying government IDs?). If we could share a <128 character code on Mastodon (or Matrix or IRC) that served the same purpose as a GPG pub key, I think it'd be a lot easier to get people started.
I guess what I'm saying is: I recognize that getting a web of trust going is a Herculean task and that it failed once before, but in the absense of other good options I think it's worth considering whether we should take another stab at it having learned our lessons from the past.
-
@coderanger I've been thinking for a while now that it might be worth taking another shot at the web-of-trust. Long term, I think it's the only way forwards, but I agree unless it's dead simple to use it'll be impossible to hit critical mass. I think there will need to be some compromises on the theoretical security (TOFU vs key signing parties? verifying social media handles vs verifying government IDs?). If we could share a <128 character code on Mastodon (or Matrix or IRC) that served the same purpose as a GPG pub key, I think it'd be a lot easier to get people started.
I guess what I'm saying is: I recognize that getting a web of trust going is a Herculean task and that it failed once before, but in the absense of other good options I think it's worth considering whether we should take another stab at it having learned our lessons from the past.
@chansecodina @coderanger The problem is that web of trust would have done nothing against JiaTan. They were the upstream maintainer and had permission at a project level to mint the release they minted so they would have had the right keys.
-
@chansecodina @coderanger The problem is that web of trust would have done nothing against JiaTan. They were the upstream maintainer and had permission at a project level to mint the release they minted so they would have had the right keys.
@malwareminigun Presumably in a WoT world, the original maintainers would have checked who vouched for this new guy before adding them as a maintainer. Which just moves the problem from "socially engineer a project owner" to "... someone a project owner trusts, directly or indirectly". This is kind of an improvement but not in a hugely meaningful way.
-
@malwareminigun Presumably in a WoT world, the original maintainers would have checked who vouched for this new guy before adding them as a maintainer. Which just moves the problem from "socially engineer a project owner" to "... someone a project owner trusts, directly or indirectly". This is kind of an improvement but not in a hugely meaningful way.
@coderanger They *did*. That's how JiaTan got maintainer status on the xz project's repo.
-
@coderanger They *did*. That's how JiaTan got maintainer status on the xz project's repo.
@malwareminigun To the best of my knowledge that is not true. What has been reconstructed of Jia (for lack of a better name) getting added was mostly via sock-puppets and pressure tactics. The original maintainer was effectively bullied into adding them, relatively cursory checks showed this person didn't exist until shortly before the attack started.
-
@malwareminigun To the best of my knowledge that is not true. What has been reconstructed of Jia (for lack of a better name) getting added was mostly via sock-puppets and pressure tactics. The original maintainer was effectively bullied into adding them, relatively cursory checks showed this person didn't exist until shortly before the attack started.
@coderanger It doesn't matter if they were "bullied", the fact is that they did it. JiaTan being able to push a release was not a surprise to the original maintainers.
-
@coderanger It doesn't matter if they were "bullied", the fact is that they did it. JiaTan being able to push a release was not a surprise to the original maintainers.
@malwareminigun I think you might be misunderstanding this as being about package security, which I'm not sure anyone is discussing web-of-trust for? The recent push between projects like Vouch and humans.json has been to do maintainer-level trust analysis. I posit this will be ineffective.
-
@chansecodina @coderanger The problem is that web of trust would have done nothing against JiaTan. They were the upstream maintainer and had permission at a project level to mint the release they minted so they would have had the right keys.
@malwareminigun @coderanger You can't expect to solve all social problems with technical tools. That said, if a group of accounts, all with zero external relationships in the web of trust, mounts an influence campaign to get one of their own members made into a project maintainer it's going to look fishy.
-
@malwareminigun @coderanger You can't expect to solve all social problems with technical tools. That said, if a group of accounts, all with zero external relationships in the web of trust, mounts an influence campaign to get one of their own members made into a project maintainer it's going to look fishy.
@chansecodina That would require having people outside the project paying attention to the sock puppet campaign, which was clearly not the case.
You can't show that the sock puppets are related with cryptography.
I agree that you can't solve social problems with technical tools. But that's kind of @coderanger 's point as I understand it.
There has been absolutely nothing proposed that would have stopped JiaTan.
-
R relay@relay.infosec.exchange shared this topic
