[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Jacob Lifshay programmerjake at gmail.com
Tue Aug 27 20:18:52 BST 2019

On Tue, Aug 27, 2019, 08:43 Luke Kenneth Casson Leighton <lkcl at lkcl.net>

> On Tue, Aug 27, 2019 at 12:16 PM Luke Kenneth Casson Leighton
> <lkcl at lkcl.net> wrote:
> >
> >
> >
> > On Tuesday, August 27, 2019, Jacob Lifshay <programmerjake at gmail.com>
> wrote:
> >>
> >> I posted a message linking to our mailing list on the crev matrix chat:
> >> https://matrix.to/#/!uBhYhtcoNlyEbzfYAW:matrix.org
> >
> >
> > Nice.  *waves hello*.
> ah, how unfortunate:
> jacob: "you might find that interesting. Luke initially mistakes crev
> for a code signing and distribution mechanism, so a lot of it may not
> be useful"
> andrew: "that initial response from Luke pretty much makes me want to
> run in the opposite direction of that mailing list. sorry."
> he completely misunderstood, didn't he?  the article you linked to was
> "The Problem Of Trusting Software Dependencies", and the author of the
> article starts off with some assumptions and misunderstanding about
> how debian works.
> "Forget memory safety, the compilation and distribution model is
> outright criminal."
> from there i naturally assumed that, without an adequate description
> of what crev actually is in the article, it was a code/binary
> distribution mechanism.
> i actually didn't realise this was on-list (at all) until about the
> 3rd message into the discussion.
> only when you said "it's a code review system only" - that was the
> only point at which i realised what it was.
> like you said: you tried.
> the sad thing is their misunderstanding/rejection will mean that they
> don't see long-standing pre-existing research in this area (Advogato,
> Keynote: RFC2704).

they may see/have seen it: andrew did read the whole thread at the time,
also andrew is not the only project member, others may also read it.

personally, I may have agreed with him that it's better to not get involved
if this thread had been my first contact with the libre-riscv project.



More information about the libre-riscv-dev mailing list