[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

[Luke Kenneth Casson Leighton]

On Tue, Aug 27, 2019 at 10:47 AM Luke Kenneth Casson Leighton
<lkcl at lkcl.net> wrote:

> doing something as stupid as letting other people have access to a
> private key, when that person *specifically* went to the trouble of
> showing GOVERNMENT ID, not just once but multiple times, is... i mean,
> the thought of someone being happy with the consequences of sharing
> their private key after going through such an identity-proof
> procedure, they would actually have to be seriously mentally ill.

... or be coerced.  there was a russian debian developer who was
arrested for the crimes committed by someone using the tor exit node
that the developer happened to be running from his home.

there was absolutely no way that the debian team could know if his key
(and passphrase and/or smartcard) had been compromised.

so the debian-keyring package had to have an emergency update pushed
to security/updates, in order to revoke his GPG key.

in addition, all the packages that he'd been responsible for had to
have emergency debian-point-releases done (at the exact same time)
because otherwise people would download a package only to find that
the GPG key with which the package had been signed had been revoked.

crev - by having the developer be the sole exclusive single source of
not only the signing-key but also the repo *as well*, is vulnerable to
having someone be bribed, kidnapped, arrested, or even murdered.

by having a 2-step (or 3-step) process, someone else within the
"web-of-trust" can keep an eye on you and take over the package, if
needs be.

these are the kinds of things that yes, a good package distribution
system *actually* takes into account, and mitigates.

l.