[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Aug 27 06:03:57 BST 2019
On Tue, Aug 27, 2019 at 3:40 AM Jacob Lifshay <programmerjake at gmail.com> wrote:
> I found a very interesting article about crev:
> https://wiki.alopex.li/ActuallyUsingCrev
oh look. someone without a clue and who knows nothing of debian's
distribution package management is endeavouring to re-learn basic
web-of-trust chaining. i wonder if there's a model that is already
proven for 20+ years that works, or if there's anyone who knows about
it and can describe it and how it works?
https://slashdot.org/comments.pl?sid=14634346&cid=59120976
oh look! there is!
*face-palm*.... :)
"The Solution, Again? Nobody actually knows how to fix this."
wronggg....
"Will this web of trust model work? I don’t know."
then why are you rushing to use it?
oh dear.
> It's basically making a web of trust to handle making sure that
> dependencies are trustworthy.
i wonder why that's occurred to people, only now? whatcould they use? hmmmm...
https://en.wikipedia.org/wiki/Advogato
https://tools.ietf.org/html/rfc2704
https://wiki.debian.org/Keysigning
> Note that using crev doesn't require GitHub, it just requires a public
> git repo (the author doesn't use GitHub for their repo).
>
> There's currently only an implementation for Rust and Cargo:
> https://github.com/crev-dev/cargo-crev
>
> This definitely needs to be integrated into pip, npm, and other
> similar programs.
nooo: it needs a full audit and secure-design review. then and only
then should it be considered for adoption.
l.
More information about the libre-riscv-dev
mailing list