|
|
Log in / Subscribe / Register

The Linux Foundation's "sigstore" project

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:04 UTC (Wed) by IanKelling (subscriber, #89418)
Parent article: The Linux Foundation's "sigstore" project

The content of the sigstore website, is unreadable without downloading and running at least one nonfree program in your browser

https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.3/mo...

Requiring people to run arbitrary javascript, which could compromise the computer if there exists one of many security holes, is not the right way to start for securing software distribution.

to post comments

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:09 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (17 responses)

> The content of the sigstore website, is unreadable without downloading and running at least one nonfree program in your browser

That Javascript is not non-free.

https://github.com/Modernizr/Modernizr

Minimizing it in this case is just an optimization for faster loading.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:51 UTC (Wed) by Rigrig (subscriber, #105346) [Link] (16 responses)

I'm not sure "You can find the source somewhere online" qualifies as free software.

What really annoys me though is that this could just have been a plain HTML page.
And it is.
But then someone used CSS to stick a "preloader" in front of the whole page and added some javascript (which depends on a bunch of external javascript libraries) to hide the loader after some delay.
So the only way to read it is to either run a bunch of external javascript blobs, or to also disable stylesheets.

And I think that a project which aims to improve the supply chain could have bothered with providing checksums for those external blobs: https://en.wikipedia.org/wiki/Subresource_Integrity

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 16:27 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (14 responses)

> I'm not sure "You can find the source somewhere online" qualifies as free software.

Sure it does. It is not ideal but just because you don't see the full source directly in the browser doesn't make it somehow non-free.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 17:29 UTC (Wed) by jebba (guest, #4439) [Link] (13 responses)

The license for it says:

> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

https://github.com/Modernizr/Modernizr/blob/master/LICENS...

Wouldn't the license info need to be included? Just curious.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 19:39 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (12 responses)

They ideally should include a copy of the license. That practice is far from universal as we see here.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 20:21 UTC (Wed) by jebba (guest, #4439) [Link] (11 responses)

> They ideally should include a copy of the license.

Just "Ideally"? Isn't it required?

> That practice is far from universal as we see here.

The Linux Foundation themselves work against copyright enforcement of "Open Source", is it surprising that it is far from universal? Without people on the Board like Bdale Garbee and Karen Sandler, this is the result we get. Microsoft and copyright violations.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 20:47 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (10 responses)

> Just "Ideally"? Isn't it required?

A requirement is meaningless unless it is enforced. I doubt the authors care enough to bother.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 1:06 UTC (Thu) by jebba (guest, #4439) [Link] (9 responses)

You think all 283 contributors (according to github) don't care? That's quite an assumption. And that allows an exemption?

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 2:55 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (8 responses)

> You think all 283 contributors (according to github) don't care? That's quite an assumption. And that allows an exemption?

Given how many websites do this and how often a requirement to bundle a license is enforced, it is a pretty mundane assumption. Also most of the contributors in a project with a long tail has a few patches each that fixed a bug or added a feature they wanted and moved on, leaving a much smaller number of contributors doing bulk of the work and they can either spend their limited time improving the library or enforcing a licensing term. In legal terms, there isn't an exception. In practice, this sort of licensing requirement is often overlooked and questioning me isn't going to change that one bit.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:14 UTC (Thu) by jebba (guest, #4439) [Link] (7 responses)

So since they are too small and unlikely to be able to fight the Linux Foundation's lawyers, the violation is just fine. Got it.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:20 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (5 responses)

> So since they are too small and unlikely to be able to fight the Linux Foundation's lawyers, the violation is just fine. Got it.

Complete mischaracterization of what I said. Try again.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:30 UTC (Thu) by jebba (guest, #4439) [Link] (4 responses)

The Linux Foundation is big enough to overlook violating others' licenses and it is a common practice. Better?

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:34 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (3 responses)

> The Linux Foundation is big enough to overlook violating others' licenses and it is a common practice. Better?

Nope. I never talked about the Linux Foundation at all.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:38 UTC (Thu) by jebba (guest, #4439) [Link] (2 responses)

OK, how about the corporate masters you routinely shill for violate free software developers' licenses regularly, so it doesn't matter because the community can't do anything about it.

Can we end this here, please?

Posted Mar 11, 2021 17:45 UTC (Thu) by jake (editor, #205) [Link]

This does not seem a productive use of anyone's time.

Let's just stop this here, please.

thanks,

jake

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:56 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

You seem very confused. I have zero association whatsoever with Linux Foundation nor do I work for any organization associated with it. I do have some experience getting free software licensing issued resolved as a volunteer distro package maintainer and developer for several years and that's the perspective I am sharing here. The enforcement of licensing requirements if the authors of the library care enough to do it has to initiated by them. I don't see any evidence at all for that. That's my point.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 18:20 UTC (Thu) by jschrod (subscriber, #1646) [Link]

Can you please stop your crusade?

This is not Slashdot.

The Linux Foundation's "sigstore" project

Posted Mar 12, 2021 20:13 UTC (Fri) by ratfactor (guest, #132367) [Link]

> ...this could just have been a plain HTML page.

The sharp irony of these awful Web practices (no matter how common they are) being needlessly used on a "web of trust" site is downright painful.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:11 UTC (Wed) by re:fi.64 (subscriber, #132628) [Link]

Modernizr is open source, seems just like the license for omitted from the bundle for some reason...

https://modernizr.com/license/

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:30 UTC (Wed) by IanKelling (subscriber, #89418) [Link] (2 responses)

* website, https://sigstore.dev/,

I actually can see some github repo links and a slack link. Slack requires running nonfree software to join. At least the repos seem to be free software.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:32 UTC (Wed) by dskoll (subscriber, #1630) [Link] (1 responses)

Actually, I use Slack without using any non-free software. I use a Slack-to-IRC gateway, namely matterircd.

I still don't like Slack, but at least I can access it with free software.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 18:30 UTC (Wed) by IanKelling (subscriber, #89418) [Link]

I should have been clearer. To join slack as a new user requires running nonfree software in your browser last I checked. But there are free clients after you do that. Same with twitter.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 17:34 UTC (Wed) by jebba (guest, #4439) [Link]

It links to:

* Google ( https://fonts.googleapis.com/css?family=Catamaran:400,600 )

* Slack ( https://join.slack.com/t/sigstore/shared_invite/zt-mhs55z... )

* Microsoft Github ( https://github.com/sigstore/rekor and others )

The Linux Foundation's "sigstore" project

Posted Mar 12, 2021 20:11 UTC (Fri) by calumapplepie (guest, #143655) [Link]

I disagree on the risks of running arbitrary JavaScript being increased by its nonfree status.

I'm not denying that security holes to exploit exist: there are 0-days in Chrome and other browsers. However, they are rare, of the level that implies nation-state actors, and require long, delicate chains. But my experience with The Great Suspender (see https://lwn.net/Articles/846272/ ) shows that making sure to run open-source code doesn't prevent you from running hostile code..

TGS was a fully open-source extension with 2 million users. A dozen red flags were thrown (new maintainer, from outside the community, with no details of their existence, who never announces their presence, is said to have "purchased" the extension, makes a surprise release, doesn't put out a changelog, doesn't tag the release, includes code in release not on Github, requests additional permissions in release, and has dubious reasons for said permissions).

After three months, there was almost no change in the number of users.

The javascript library in question is open-source, as others have pointed out: while it is minified, that is to speed pageloads and is standard on the web. But that doesn't mean it's innocent. A reproducible build stack doesn't mean that the source code doesn't exploit a 0day. Even if it was distributed unminified, there is no way to know where a 0day may exist: reliably differentiating an unusual style choice from a sandbox compromise can't be done without running the code and carefully monitoring the executor.

Any time you run javascript from the internet, you are risking falling victim to 0days: regardless of if it's open-source or not, distributed minified or unminified. If that concerns you, install NoScript. If you still want SOME scripts, use LocalCDN and uBlock Origin in 'hard' mode. But know that while both of those extensions are fully open-source, either one has all the power it needs to compromise the entirety of your browsing activity.

We can debate the necessity of the site including any JavaScript on this site separately. But there is no way to run remote JavaScript (of ANY sort) securely without trusting that web browser sandbox is resilient. There is furthermore no way to be certain that the techniques you use to prevent JavaScript from running are themselves malicious. At some point, you need to draw the line of trust: drawing the line where minified open-source javascript is on one side and unminifed open-source code isn't is not a good place.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds