On Thu, May 6, 2010 at 4:07 PM, Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com> wrote:
> http://en.wikipedia.org/wiki/Web_of_trust > > The thing that all packages in debian rely on to prove that they are > authentic? He said easier to trust PEOPLE. Look at the PGP web of trust, people with dozens or hundreds of signatures on their PGP public keys. When I was using GPG for a year to sign my e-mails, I re-downloaded my public key from the key server and had found that some 15 or so people that I'd never heard of had signed my key. Your first response to this is going to point out that Ubuntu could trust only keys signed with keys that themselves are signed with an Ubuntu Master Key or some such; so maybe Martin's key is signed by Canonical, Inc and Martin signs your key, so you're valid. You sign another key, that is still called "untrusted." Thus, we don't have the crazy uncontrolled mess described above. Which brings us back to trusting people. Out of the hundreds, thousands of people that you want to incorporate into your trust hierarchy, how do you determine which can be trusted? Who is talking their way through you, showing good work, uploading hundreds of excellent packages with stopgap patches or well-requested features and things that won't go into Main or will go in later; but in secret, really waiting for a good time to slip malware into a package? It doesn't have to be patches they wrote; could be a -ck kernel or a kernel with a piece from -mm, or a patch onto Gimp that's gained popularity but nobody felt fit to pay attention to, or any other 3-seconds-of-work patching process. More than 3 seconds? Oh, this one I hit a bump with, I think I'll just discard it; I've got plenty of other "work" to show. The smoke and mirrors is a bit complex; but we're talking about a threat that essentially amounts to "someone wrote, compiled, packaged, tested, and uploaded a piece of malware to a repository they needed special permission to join." This is not a fat businessman pushing the "SPAM THE WORLD" button. Every time someone suggests finding a way to trust people more (or in this case, trust more people), God laughs at them. A lot. The only way to fully trust an individual is to hang a camera and a turret above his head constantly, and even then you can't be sure; the only way to improve how much you can safely trust someone is to devote resources to learning about them on a personal and technical (i.e. background check) level. When you add hundreds of developers or just random people to a project, with direct access, you WILL have problems, and you WILL hand access to people who desperately don't need it. This is why the Linux Kernel has 30,000 developers and all of 1 or 2 people with commit access (Linus and who else? Drepper and Andrew maybe). -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
