Simon Josefsson wrote: > > I see. Indeed, if many developers would share their PGP key through > > Savannah, the GNU keyring, GitHub, GitLab, their own home page, etc., it > > would become harder for an attacker to introduce a spoofed one in all of > > these > > places. OTOH, since these are not regular but ad-hoc distribution patterns, > > it's hard to build a tool that fulfils the job of "given the name and > > email address of a developer, give me their PGP key and a trust estimation". > > ... The social world rely on many different minor trust > mechanism, each of them fallable, that overall build up trust. I don't > think we can solve this technically.
Maybe not "solve" technically, but at least help technically? Hunting down a developer's PGP key from various places is something that would cost me 30 minutes when done by hand. I'm willing to spend this time when looking for an employer with a remote-working job offer. But I would not spend this time on the signer of a random software package before I'm going to install that on my system. So, I think that an automated tool that collects the available PGP keys from various locations (from Savannah to the home page) would be a game changer, when it comes to replace the "web of trust" that was previously based on keysigning parties. > Yes, I think this is where technology meet the social world: trust > cannot be fully automated, or it becomes a central point of failure and > attracts abuse. I don't understand this sentence. When it comes to the tool described above, how would it "become a central point of failure and attract abuse"? > Unfortunately Git signatures have that > property: it is really messy to use PGP and X509 and SSH signatures on > git tags in the same project. This is a git wart: there is no reason a > git tag couldn't have both a PGP and S/MIME and a SSH signature on it. > I'm signing all of my git commits and tags with PGP, but if we would > enforce that, we are stuck with git's limits on this. That's not the only problem of Git commit signatures. The other, major problem is that is prevents commits from anonymous committers. While, in general, we dislike anonymity because we equate it with irresponsible behaviour, in some cultures anonymity is the only way of doing things freely, without the risk of imprisonment and torture. This is the case today in countries with an authoritarian government (such an Iran and Türkiye); but it was already the case in some places 2500 years ago [1][2]. Also, remember that even Jia Tan (from xz fame) had a PGP key [3]; so, enforcing a PGP key does not help in the face of state-based evil actors. Bruno [1] The Bible: Book Esther, chapter 2, verses 10 and 20. [2] The Bible: Book Jeremiah, chapter 36, verse 26. [3] https://www.reddit.com/r/archlinux/comments/1byfwy3/found_jia_tan_of_xz_package_backdoor_gpg_key_in/
