[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Aug 27 16:42:37 BST 2019


On Tue, Aug 27, 2019 at 12:16 PM Luke Kenneth Casson Leighton
<lkcl at lkcl.net> wrote:
>
>
>
> On Tuesday, August 27, 2019, Jacob Lifshay <programmerjake at gmail.com> wrote:
>>
>> I posted a message linking to our mailing list on the crev matrix chat:
>> https://matrix.to/#/!uBhYhtcoNlyEbzfYAW:matrix.org
>
>
> Nice.  *waves hello*.

ah, how unfortunate:

jacob: "you might find that interesting. Luke initially mistakes crev
for a code signing and distribution mechanism, so a lot of it may not
be useful"

andrew: "that initial response from Luke pretty much makes me want to
run in the opposite direction of that mailing list. sorry."

he completely misunderstood, didn't he?  the article you linked to was
"The Problem Of Trusting Software Dependencies", and the author of the
article starts off with some assumptions and misunderstanding about
how debian works.

"Forget memory safety, the compilation and distribution model is
outright criminal."

from there i naturally assumed that, without an adequate description
of what crev actually is in the article, it was a code/binary
distribution mechanism.

i actually didn't realise this was on-list (at all) until about the
3rd message into the discussion.

only when you said "it's a code review system only" - that was the
only point at which i realised what it was.

like you said: you tried.

the sad thing is their misunderstanding/rejection will mean that they
don't see long-standing pre-existing research in this area (Advogato,
Keynote: RFC2704).

l.



More information about the libre-riscv-dev mailing list