[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Aug 27 11:24:44 BST 2019
On Tue, Aug 27, 2019 at 11:16 AM Jacob Lifshay <programmerjake at gmail.com> wrote:
> crev isn't designed for code signing, it's designed for code reviews, which
> are essentially a statement by the review signer that the code looked
> good/bad/so-so to them combined with how deep of a review they did and how
> well they think they understood the code along with the needed crypto to
> make sure the code you have is the same code they reviewed. crev doesn't
> support any more than that.
okaaay. now it's starting to make sense. as you've probably gathered
by now, that's a completely different set of design criteria from
those of code distribution.
code distribution hardening is *ridiculously* difficult. the key
differences between code review and code distribution are that:
* the number of downloaders (and downloads), is vastly greater, and
(in good systems) mostly an "automated" process (beyond the initial
SHA-checksum verification at first-install)
* by contrast, a code *review* system will be a very small number of
people, and involves a manual - optional - process anyway.
fundamentally, then: a system that has been specifically designed for
code *review* is wholly and completely unsuited for code
this also explains why there is no documentation in crev on its use
and suitability for code *distribution*.
More information about the libre-riscv-dev