[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Aug 27 06:03:57 BST 2019

On Tue, Aug 27, 2019 at 3:40 AM Jacob Lifshay <programmerjake at gmail.com> wrote:

> I found a very interesting article about crev:
> https://wiki.alopex.li/ActuallyUsingCrev

oh look.  someone without a clue and who knows nothing of debian's
distribution package management is endeavouring to re-learn basic
web-of-trust chaining.  i wonder if there's a model that is already
proven for 20+ years that works, or if there's anyone who knows about
it and can describe it and how it works?


oh look! there is!

*face-palm*.... :)

 "The Solution, Again? Nobody actually knows how to fix this."


"Will this web of trust model work? I don’t know."

then why are you rushing to use it?

oh dear.

> It's basically making a web of trust to handle making sure that
> dependencies are trustworthy.

i wonder why that's occurred to people, only now?  whatcould they use?  hmmmm...


> Note that using crev doesn't require GitHub, it just requires a public
> git repo (the author doesn't use GitHub for their repo).
> There's currently only an implementation for Rust and Cargo:
> https://github.com/crev-dev/cargo-crev
> This definitely needs to be integrated into pip, npm, and other
> similar programs.

nooo: it needs a full audit and secure-design review.  then and only
then should it be considered for adoption.


More information about the libre-riscv-dev mailing list