[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Aug 27 06:03:57 BST 2019
On Tue, Aug 27, 2019 at 3:40 AM Jacob Lifshay <programmerjake at gmail.com> wrote:
> I found a very interesting article about crev:
oh look. someone without a clue and who knows nothing of debian's
distribution package management is endeavouring to re-learn basic
web-of-trust chaining. i wonder if there's a model that is already
proven for 20+ years that works, or if there's anyone who knows about
it and can describe it and how it works?
oh look! there is!
"The Solution, Again? Nobody actually knows how to fix this."
"Will this web of trust model work? I don’t know."
then why are you rushing to use it?
> It's basically making a web of trust to handle making sure that
> dependencies are trustworthy.
i wonder why that's occurred to people, only now? whatcould they use? hmmmm...
> Note that using crev doesn't require GitHub, it just requires a public
> git repo (the author doesn't use GitHub for their repo).
> There's currently only an implementation for Rust and Cargo:
> This definitely needs to be integrated into pip, npm, and other
> similar programs.
nooo: it needs a full audit and secure-design review. then and only
then should it be considered for adoption.
More information about the libre-riscv-dev