[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Aug 27 11:24:44 BST 2019

On Tue, Aug 27, 2019 at 11:16 AM Jacob Lifshay <programmerjake at gmail.com> wrote:

> crev isn't designed for code signing, it's designed for code reviews, which
> are essentially a statement by the review signer that the code looked
> good/bad/so-so to them combined with how deep of a review they did and how
> well they think they understood the code along with the needed crypto to
> make sure the code you have is the same code they reviewed. crev doesn't
> support any more than that.

okaaay.  now it's starting to make sense.  as you've probably gathered
by now, that's a completely different set of design criteria from
those of code distribution.

code distribution hardening is *ridiculously* difficult.  the key
differences between code review and code distribution are that:

* the number of downloaders (and downloads), is vastly greater, and
(in good systems) mostly an "automated" process (beyond the initial
SHA-checksum verification at first-install)

* by contrast, a code *review* system will be a very small number of
people, and involves a manual - optional - process anyway.

fundamentally, then: a system that has been specifically designed for
code *review* is wholly and completely unsuited for code

this also explains why there is no documentation in crev on its use
and suitability for code *distribution*.


More information about the libre-riscv-dev mailing list