Insecure dev machines.

Posted Oct 23, 2024 9:12 UTC (Wed) by bluca (subscriber, #118303)
In reply to: Insecure dev machines. by LtWorf
Parent article: Python PGP proposal poses packaging puzzles

Can we please keep the dumb conspiracy theories from the 90s confined to newsy, reddit and other such low-quality forums? Thanks

Insecure dev machines.

Posted Oct 23, 2024 9:21 UTC (Wed) by amarao (guest, #87073) [Link] (17 responses)

Is your comment polite, respectful, and informative?
Are you saying something new that extends the conversation?

Insecure dev machines.

Posted Oct 23, 2024 13:44 UTC (Wed) by raven667 (subscriber, #5198) [Link]

I think there are a number of LWNers who happen to work for big companies like MS, Oracle, Google, FB, IBM, etc. which are the subject of various conspiracy theories and accusations of bad faith, who themselves are sometimes the originator or work on the systems people have conspiracy theories about and take these accusations of bad faith personally because they are the one being referred to, or they personally know who is being referred to, and take offense when they believe they are operating in good faith for the betterment of their project and users.

Call it like you see it (some initiatives are cynically motivated), but don't be surprised if someone's offended or you get pushback.

Evil corporations

Posted Oct 23, 2024 14:02 UTC (Wed) by corbet (editor, #1) [Link] (15 responses)

I think I can understand where bluca is coming from. If I understand, he is seeing people trash his employer for its behavior over 20 years ago, feels that the company he is working for now is different, and would like the trashing to stop. It must not be fun to be told repeatedly that you are a minion of the Evil Empire.

For the moment, Microsoft appears to be our friend. Tomorrow could be another story, but that is true of every company that works with our community. Corporations are best seen as amoral entities that are only one bad quarterly report away from a complete change of behavior. Corporate support makes all the difference, but we don't want to become too dependent on any of them.

Evil corporations

Posted Oct 23, 2024 19:01 UTC (Wed) by bluca (subscriber, #118303) [Link] (14 responses)

All of that, and even more: there can be many reasons corporations do things, and especially in engineering-led organizations whether or not there are groups of _motivated_ engineers pushing in a determinate direction sometimes matters a lot. Say for example, pushing toward embracing open source and Linux.

Evil corporations

Posted Oct 23, 2024 19:14 UTC (Wed) by amarao (guest, #87073) [Link] (13 responses)

The main problem with accepting 'help' from Microsoft here is that its aim is to replace the existing community-based trust system. It took decades to build the existing network, and thousands of signing parties to get it.

If we follow Microsoft's offer to swap the web-of-trust model for their auth provider (which it is, essentially), a few years later we will get to a situation where the web-of-trust is in decay (and unused).

Can you predict if Microsoft will be a 'friend' 10 years later? Exactly at the time when the last crumbs of the GPG network are removed. Won't it be the perfect moment to move from 'extend' phase to 'extinguish'? How about updating T&C to forbid certain types of activities under their auth provider? What if those forbidden activities include reverse engineering for a new protocol or a new filesystem, or, I don't know, a new proprietary communication protocol between AIs? It is forbidden, accounts are deactivated, and distributions won't 'revive antique GPG' just to support a couple of 'banned' projects.

Is it too absurd to imagine? Especially the 'extinguish' phase? Moreover, I don't think MS here is any better or worse than any big corporation. A corporation gets leverage, a corporation uses leverage to gain even more leverage.

Evil corporations

Posted Oct 23, 2024 20:57 UTC (Wed) by bluca (subscriber, #118303) [Link]

Please see https://lwn.net/Articles/995249/

Evil corporations

Posted Oct 24, 2024 4:34 UTC (Thu) by raven667 (subscriber, #5198) [Link]

This envisions a level of thinking, planning, foresight and control that I don't think any living human actually has, let alone the executives who actually run big companies. Do you really think these people are smart enough to pull off what you describe? Have you seen them actually speak? Without some pretty clear evidence these kinds of conspiracies just don't exist, there are technical issues and maintenance issues and incentives but not multi-year plans for ...*evil*...

Evil corporations

Posted Oct 24, 2024 9:25 UTC (Thu) by farnz (subscriber, #17727) [Link] (10 responses)

Note that extrapolating from Microsoft of more than 10 years ago to Microsoft of today isn't reasonable, since 10 years ago, it changed both its CEO and its chairman - the two most senior leadership positions. It is very easy to believe that this major change in leadership, which was driven by the failure of the previous leadership to win in the market for phones and cloud computing, has completely changed Microsoft into a different company.

Hating on Microsoft because of how it behaved under previous leadership is like cheering on the SCO Group in its lawsuit against IBM because someone's taking on the bullies at Big Blue. There's no shortage of historically evil behaviour in IBM's past, but the company has changed direction since then.

Evil corporations

Posted Oct 24, 2024 9:52 UTC (Thu) by amarao (guest, #87073) [Link] (9 responses)

What is preventing Microsoft chaning CEO again? I look on some opensource projects and I see how pure hostility toward opensource community appears out of nothing (Hashicorp, Redis, Mongo, etc). There is not a single argument to declare that Microsoft is different then any other company.

This discussion is not about 'how bad Microsoft is', it's about replacement of true web of trust, build out of people and people trust to each other, with corporate entity, which now looks like a friend, but have 'profits' written as a goal in their memorandum of association.

If Microsoft hate sounds like a 'Linux revenge', replace Microsoft with any corporate entity. Who is the current angel in heavens? Cloudflare. Let's say it will be delegated to CF. It is the same. Now CF is the friend, but nothing preventing them from leveraging it for achieving their legal obligation toward shareholders: make profits.

Whole thread and my clamor is not about specific company, but a fact, that web of trust is been replaced with commercial companies as gatekeepers.

Evil corporations

Posted Oct 24, 2024 10:14 UTC (Thu) by farnz (subscriber, #17727) [Link] (8 responses)

Your arguments were all based on Microsoft being evil - they are no different to any other group of people, and the composition of that group has changed significantly in the last decade.

And the web of trust doesn't change this one iota; if, instead of "corporate control", you had to have a signature from a PyPI operator or someone they've trusted, you're in exactly the same position, since the PyPI operators are also a group of people who can leverage that trust to abuse you.

Fundamentally, what you're saying is that you're scared that a group that you've chosen to trust becomes untrustworthy in the future; and without some form of ability to see the future, there's no way to see whether that will, or will not, happen.

Evil corporations

Posted Oct 24, 2024 10:55 UTC (Thu) by amarao (guest, #87073) [Link] (5 responses)

I specifically replaced Microsoft with other company, if you missed that.

ANY commercial company is bad. They have a goal, written in their memorandum of association: generate profits. Any commercial company placing opensource above profits is violating own obligations toward shareholders (There can be goodwill or publicity reasons, but all of them must lead to higher profits, or company is not doing its job).

Therefore, entrusting already build community trust to commercial gatekeepers is trust suicide.

They are free to participate, they are free to be trusted, but only as a member of web of trust, not as their gatekeeper.

If it wasn't clear, once more: any commercial company is bad for this job, not MS specifically.

Evil corporations

Posted Oct 24, 2024 11:04 UTC (Thu) by farnz (subscriber, #17727) [Link] (3 responses)

And I pointed out that you can replace any commercial company with the PSF or the PyPI operators, or any group of people. They all have their own goals, many of which are hidden from you, and which may conflict with what you want from the service they operate.

Indeed, in many respects, Microsoft (Azure), Amazon (AWS) and Google (GCE) are perfect stewards for services like PyPI; there is more profit to be had from making it easy to write software that you then need compute resources for (which they sell for a nice markup) than there is to be had from tightly controlling the availability of software so that you don't need to buy anything from their cloud arms.

Evil corporations

Posted Oct 24, 2024 11:41 UTC (Thu) by atnot (subscriber, #124910) [Link] (2 responses)

> And I pointed out that you can replace any commercial company with the PSF or the PyPI operators, or any group of people

I realize I won't get very far with this if you believe "greediness is just Human Nature™" or other obviously incorrect post-hoc justifications, but surely you see the difference between a legal entity set up in service of a community and beholden by it's bylaws or charter by nature of its legal status to at least somewhat act in the interest of that community, and an external corporation which is practically required to be maximally extractive?
I can name a dozen examples of corporations pivoting away from FOSS just in the last few years off of the top of my head. I have yet to hear of any community foundation doing the same thing. I'm sure it's probably happened, but it's not a pattern.

Evil corporations

Posted Oct 24, 2024 13:04 UTC (Thu) by farnz (subscriber, #17727) [Link]

An external corporation is not "practically required to be maximally extractive", no more than FOSS authors are "practically required to work for free". A corporation is entirely permitted to decide that it's not worth being extractive in this area in order to increase its overall profits by making it easier to spend in another area - for example, it's perfectly OK for a cloud computing provider to not maximally extract from the supply of software in order to make more profits from cloud computing.

And I've seen many community foundations outside software simply fall apart because the people who were running them chose to stop running them for the benefit of the community, but instead ran them to extract maximum money for themselves at the expense of the community they were nominally there to support. So far, that's been rare in software mostly because foundations tend to be controlled by a set of big corporations who are all more scared of a competitor taking control than they are of not extracting maximum money from the community, whereas companies tend to be founded in place of foundations when people want to extract maximum money.

It's also worth noting in this context that the people who are deciding which signature systems to trust are Microsoft employees (among others), and if their employment forced them to be maximally profit extracting, that would be happening with the web of trust as a trust mechanism.

The real danger is not that you trust a corporate, it's when you trust only one entity; whoever controls the trusted entity controls everything. Doesn't matter who that trusted entity is (whether it be the PSF, or Microsoft), because someone wanting to extract maximum money can take control of it, and at that point you're screwed. And in this respect, sigstore itself is fine, because it already supports the concept of multiple trusted signers - the problem is only if the PSF chooses to have only Microsoft as a trusted signer, and sets itself on a course where it can't (e.g.) add GitLab, or Facebook, or TikTok as trusted signers later down the line.

Evil corporations

Posted Oct 24, 2024 20:44 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I guess you generate your own electricity and etch your own circuits?

The key is to make sure you're not vendor-locked. Which is true in the case of the PSF, they are not locked to MS. If Microsoft goes evil, they can just switch to another cloud provider.

Evil corporations

Posted Oct 24, 2024 11:08 UTC (Thu) by intelfx (subscriber, #130118) [Link]

Well said. Thanks.

Evil corporations

Posted Oct 24, 2024 16:00 UTC (Thu) by LtWorf (subscriber, #124958) [Link] (1 responses)

A signature from pypi is very different from a signature for every uploader that signs their upload.

Evil corporations

Posted Oct 24, 2024 17:06 UTC (Thu) by farnz (subscriber, #17727) [Link]

In both cases, though, the issue is not whether a signature is made by a given corporation; the issue is when you only get one choice, and have to hope that it's not malicious.

In other words, I have a lot of time for your position that whatever PyPI adopts needs to support multiple sources of signatures, because only allowing GitLab, or GitHub, or Linux Foundation, or any other single party to act as the signature source is a recipe for giving that party control. I don't have a lot of time for the idea that it's inherently wrong to let any of the parties that you trust for signatures be a corporate entity.