Bruno Haible via Gnulib discussion list <bug-gnulib@gnu.org> writes: > Simon Josefsson wrote: >> My primary goal is to have something stronger than a HTTPS URL to >> Savannah as a trust anchor for how to retrieve gnulib. PGP signatures >> on a serialized file, like a tarball or git bundle, is stronger. > > There's something I don't understand here. Can you please explain? > > Ten years ago, PGP key signing parties were common. They are not common > any more. The prior knowledge summarization engine explains this with a > demise of the "web of trust" model (see attachment). > > This is consistent with the following observation: When I download your > PGP key from https://savannah.gnu.org/users/jas, I see that it has only > self-signatures.
Savannah admins made a decision to "minimize" uploaded keys, removing all signatures. I think that is a bad idea, but some people suggest GDPR make people do this. You can get my keys with signatures from some other people here: https://josefsson.org/key-20190320.txt If you imported that four years ago, you would be able to confirm things I sign today come from me. > So, if the "web of trust" is dead, that is, people only self-sign their > keys, it means that Savannah trusts a developer's PGP key (and includes > it in the GNU keyring) *only* because that developer has submitted it via > the Savannah web interface, and for that he must have proven that he is > in possession of his Savannah web password. > > Since an evil PGP key could be entered > a) by an institution that is able to break the HTTPS of Savannah, or > b) by an individual that is exploiting a web UI vulnerability of Savannah, > or > c) by an individual that has been hijacking the developer's desktop > session for five minutes, > the authenticity of said PGP key is _weaker_ than the HTTPS of Savannah. > > Hence, augmenting the HTTPS of Savannah with something that is weaker than > the HTTPS of Savannah does not add security. It merely adds a false impression > of added security. Right? There are many possible responses here, but some aspects: x) One advantage with PGP on a tarball compared to a HTTPS git clone is that you can archive what you received offline and compare that bit-by-bit identical with what others received. It makes it harder to perform targetted per-IP attacks, sending different code to different targets. Git clones doesn't have this property (the directory content differ every time), and alas even git bundles doesn't seem to either. The HTTPS protection is just in-transit, it doesn't say anything about your stored content on disk like a PGP key does. x) I don't need the web of trust to gain advantages: if I got your PGP key a couple of years ago and still have it locally, your newly made signature will verify against it. I wouldn't fetch your key on every verification attempt. It is only when keys are rotated that I need to make a new trust decisions. If you continue to use your key for a couple of years, I will gain trust over time by seeing your continued use of that key. x) Opponents of web-of-trust like to declare it as dead, but just because it hasn't took over the world doesn't mean it doesn't work. If we meet and sign each others keys, at least I would put some increased trust in all keys that you would sign before that and later on, since at least I could blame you if you signed some malicious keys. x) It is better to get the PGP key from multiple places, which is one reason the announcements mention a couple of ways, since it is harder to pollute all of them at the same time. I'm hoping people aren't only trusting Savannah PGP key distribution mechanism here. I think the essential concern here is that we engineers are good at identifying problems with a solution (and admittedly there are many problems with PGP), and therefor end up dismissing a solution. Sometimes this is good (e.g., rejecting really bad solutions), sometimes this is bad (e.g., rejecting solutions with problems when there is no better alternative around). If there are better suggestions to protect against supply-chain attacks, I'm all for discussing and implementing them. We need more of these rather than less, and I believe we need multiple mechanisms. PGP is easy to complain about, but using it provide some features we don't have otherwise, which is why I encourage use of it. Minisign, signify, Git SSH signatures, age, X509/SMIME, Sigstore and Sigsum are other approaches worth considering. /Simon
signature.asc
Description: PGP signature
