LWN: Comments on "Python PGP proposal poses packaging puzzles"

Use a keypair, but skip the web of trust

gouttegd — Sat, 02 Nov 2024 11:10:38 +0000

> That's called TOFU

And incidentally it’s something that GnuPG has explicitly supported for nearly a decade (`--trust-model tofu`).

An often forgotten feature of the OpenPGP standard is that it is _not_ tied to any specific trust model, and certainly not to the web-of-trust, which is just one trust model among others. In fact I believe the web-of-trust is not mentioned even once in RFC 48880. It has always been possible to “skip the web of trust”.

And I think that overall, it has been hugely damaging to OpenPGP as a whole that almost everybody equates OpenPGP with the use of the web-of-trust.

Single-point-of-failure

kleptog — Wed, 30 Oct 2024 16:44:18 +0000

A bank only needs to verify your identity once, when the account is opened. After that they have their own login systems which have worked just fine for years. Using a government provided identity every time to log into bank account is I guess possible, but not really the goal.

And it's only for online things. Offline your physical passport trumps whatever any online system says.

Single-point-of-failure

pizza — Wed, 30 Oct 2024 11:39:38 +0000

> But a compromise of a single bank account won't do that.

But a compromise of the central national digital identity provider that the bank (or rather, *all* banks) uses will.

Remember, this government-provided identity is sufficient for literal life-and-death (and the state forcibly stripping you of your freedom) situations.

Use a keypair, but skip the web of trust

taladar — Wed, 30 Oct 2024 08:58:42 +0000

Technically nothing guarantees that in either case because they might have lost access to the account literally the second after the signature was created.

Single-point-of-failure

taladar — Wed, 30 Oct 2024 08:57:39 +0000

But a compromise of a single bank account won't do that.

Use a keypair, but skip the web of trust

Avamander — Tue, 29 Oct 2024 13:10:35 +0000

> 0x12345678 can also read e-mail sent to foo@example.com and send e-mail from that source address

There's no guarantee of that with PGP. Google saying that someone controls an address (via OIDC) however does guarantee that.

Single-point-of-failure

Avamander — Tue, 29 Oct 2024 13:08:05 +0000

You could also choose Finland, Estonia, Latvia or any others that aren't stuck in stone age with paper signatures.

Insecure dev machines.

Avamander — Tue, 29 Oct 2024 13:03:12 +0000

GPG's WoT has not practically worked for years though.

Single-point-of-failure

pizza — Tue, 29 Oct 2024 12:01:33 +0000

> Banks just financially absorb a certain amount of risk. A 99.9% solution is good enough for them. It is not good enough for a protection of the software supply chain where a single central compromise could affect millions of systems.

As opposed to... protection of the financial supply chain where a single central compromise could affect millions of people, and billions of Euros?

Use a keypair, but skip the web of trust

taladar — Tue, 29 Oct 2024 09:13:35 +0000

Just because it is trivial for the hosting provider who owns and routes your literal IP address that doesn't mean that it is trivial to do for anyone else.

Single-point-of-failure

taladar — Tue, 29 Oct 2024 08:59:04 +0000

Banks just financially absorb a certain amount of risk. A 99.9% solution is good enough for them. It is not good enough for a protection of the software supply chain where a single central compromise could affect millions of systems.

Single-point-of-failure

kleptog — Fri, 25 Oct 2024 21:37:00 +0000

> Does this mean that I get to choose either to trust Microsoft, Google, and Facebook, or... Hungary?

Like I said, if banks can trust eID to allow you to open new bank accounts, sign documents and take out loans, surely it must be good enough for uploading to PyPI?

No bank is going to allow me open a bank account by authenticating with my Gmail account. I find the trust in Microsoft/Google/Facebook somewhat concerning. None of them care about your identity at all, only your credit card.

Web key directory (WKD) makes GnuPG (OpenPGP) more usable

ber — Fri, 25 Oct 2024 13:11:05 +0000

A lot of complains about the web of trust and OpenPGP does not take newer developments like the Web Key Directory (WKD) protocol into account. When using email clients that implement it to a large extend, the exchange of end-to-end crypto messages has a much higher usability.

See https://wiki.gnupg.org/WKD . It uses the exsting binding of email addresses to domains and TLS certificates to bring in some basic trust. Additional trust by other methods (like the web of trust) can be used for additional trust. So it is compatible to higher security models.

(For email implementors see https://wiki.gnupg.org/WKD/UsabilityOfWKD but other use cases can also profit from WKD.)

Insecure dev machines.

LtWorf — Fri, 25 Oct 2024 11:26:57 +0000

There should be no boot keys!

Also see: https://arstechnica.com/information-technology/2016/08/mi...

Insecure dev machines.

Wol — Fri, 25 Oct 2024 10:50:31 +0000

> Why doesn't the PSF run a provider for this? It seems mad to use GitHub for this sort of thing.

Because they can't afford to? These things come with a big price tag for staff, a big price tag for equipment, a big price tag for lawyers and liability insurance, etc etc.

Would YOU step up to the plate and volunteer, knowing that you could be the target of State Sponsored Hacking, and that if you failed absolutely EVERYTHING could be on the line - sued into bankruptcy, and jailed on top?

There's a reason these things are done by big corps.

(Take why it's Microsoft that controls the secure boot keys - I gather they were the ONLY people to volunteer - the LF took one look and said "we don't have the resources". Pity they couldn't set up a trade association of computer manufacturers to do it, but it is what it is.)

Cheers,
Wol

Insecure dev machines.

milesrout — Fri, 25 Oct 2024 09:09:28 +0000

>Anybody who dislikes Microsoft for any reason can just pick Google or Gitlab any of the other OAUTH providers, this is not about just one specific company/organisation.

But I don't trust any of them. And they're central points of failure for far too much free software already. Why doesn't the PSF run a provider for this? It seems mad to use GitHub for this sort of thing.

Single-point-of-failure

milesrout — Fri, 25 Oct 2024 09:07:09 +0000

>European digital identity

Does this mean that I get to choose either to trust Microsoft, Google, and Facebook, or... Hungary?

Insecure dev machines.

milesrout — Fri, 25 Oct 2024 09:02:12 +0000

Nothing to do with the 90s at all. What Microsoft is doing here, and what they're doing with every other "open source" contribution they are making, is the same thing they've been doing for decades at this point: embrace, extend, extinguish.

Why people fall for it during the embrace phase *every single time* is beyond me.

Such a headline!

douglasbagnall — Fri, 25 Oct 2024 06:14:46 +0000

Honestly I was expecting a reference to https://github.com/konstin/sudoku-in-python-packaging

Evil corporations

Cyberax — Thu, 24 Oct 2024 20:44:55 +0000

I guess you generate your own electricity and etch your own circuits?

The key is to make sure you're not vendor-locked. Which is true in the case of the PSF, they are not locked to MS. If Microsoft goes evil, they can just switch to another cloud provider.

Evil corporations

farnz — Thu, 24 Oct 2024 17:06:45 +0000

In both cases, though, the issue is not whether a signature is made by a given corporation; the issue is when you only get one choice, and have to hope that it's not malicious.

In other words, I have a lot of time for your position that whatever PyPI adopts needs to support multiple sources of signatures, because only allowing GitLab, or GitHub, or Linux Foundation, or any other single party to act as the signature source is a recipe for giving that party control. I don't have a lot of time for the idea that it's inherently wrong to let any of the parties that you trust for signatures be a corporate entity.

Evil corporations

LtWorf — Thu, 24 Oct 2024 16:00:20 +0000

A signature from pypi is very different from a signature for every uploader that signs their upload.

Evil corporations

farnz — Thu, 24 Oct 2024 13:04:32 +0000

An external corporation is not "practically required to be maximally extractive", no more than FOSS authors are "practically required to work for free". A corporation is entirely permitted to decide that it's not worth being extractive in this area in order to increase its overall profits by making it easier to spend in another area - for example, it's perfectly OK for a cloud computing provider to not maximally extract from the supply of software in order to make more profits from cloud computing.

And I've seen many community foundations outside software simply fall apart because the people who were running them chose to stop running them for the benefit of the community, but instead ran them to extract maximum money for themselves at the expense of the community they were nominally there to support. So far, that's been rare in software mostly because foundations tend to be controlled by a set of big corporations who are all more scared of a competitor taking control than they are of not extracting maximum money from the community, whereas companies tend to be founded in place of foundations when people want to extract maximum money.

It's also worth noting in this context that the people who are deciding which signature systems to trust are Microsoft employees (among others), and if their employment forced them to be maximally profit extracting, that would be happening with the web of trust as a trust mechanism.

The real danger is not that you trust a corporate, it's when you trust only one entity; whoever controls the trusted entity controls everything. Doesn't matter who that trusted entity is (whether it be the PSF, or Microsoft), because someone wanting to extract maximum money can take control of it, and at that point you're screwed. And in this respect, sigstore itself is fine, because it already supports the concept of multiple trusted signers - the problem is only if the PSF chooses to have only Microsoft as a trusted signer, and sets itself on a course where it can't (e.g.) add GitLab, or Facebook, or TikTok as trusted signers later down the line.

Such a headline!

jzb — Thu, 24 Oct 2024 12:54:19 +0000

Thank you... I think?

Such a headline!

madhatter — Thu, 24 Oct 2024 11:54:00 +0000

Can we spare a moment to admire Mr. Brockmeier's heavy-duty alliterative headline? It's worthy of a red-top tabloid, though whether that's a good thing, each reader must judge for him/herself.

Evil corporations

atnot — Thu, 24 Oct 2024 11:41:08 +0000

> And I pointed out that you can replace any commercial company with the PSF or the PyPI operators, or any group of people

I realize I won't get very far with this if you believe "greediness is just Human Nature™" or other obviously incorrect post-hoc justifications, but surely you see the difference between a legal entity set up in service of a community and beholden by it's bylaws or charter by nature of its legal status to at least somewhat act in the interest of that community, and an external corporation which is practically required to be maximally extractive?
I can name a dozen examples of corporations pivoting away from FOSS just in the last few years off of the top of my head. I have yet to hear of any community foundation doing the same thing. I'm sure it's probably happened, but it's not a pattern.

Evil corporations

intelfx — Thu, 24 Oct 2024 11:08:04 +0000

Well said. Thanks.

Evil corporations

farnz — Thu, 24 Oct 2024 11:04:22 +0000

And I pointed out that you can replace any commercial company with the PSF or the PyPI operators, or any group of people. They all have their own goals, many of which are hidden from you, and which may conflict with what you want from the service they operate.

Indeed, in many respects, Microsoft (Azure), Amazon (AWS) and Google (GCE) are perfect stewards for services like PyPI; there is more profit to be had from making it easy to write software that you then need compute resources for (which they sell for a nice markup) than there is to be had from tightly controlling the availability of software so that you don't need to buy anything from their cloud arms.

Evil corporations

amarao — Thu, 24 Oct 2024 10:55:49 +0000

I specifically replaced Microsoft with other company, if you missed that.

ANY commercial company is bad. They have a goal, written in their memorandum of association: generate profits. Any commercial company placing opensource above profits is violating own obligations toward shareholders (There can be goodwill or publicity reasons, but all of them must lead to higher profits, or company is not doing its job).

Therefore, entrusting already build community trust to commercial gatekeepers is trust suicide.

They are free to participate, they are free to be trusted, but only as a member of web of trust, not as their gatekeeper.

If it wasn't clear, once more: any commercial company is bad for this job, not MS specifically.

Evil corporations

farnz — Thu, 24 Oct 2024 10:14:49 +0000

Your arguments were all based on Microsoft being evil - they are no different to any other group of people, and the composition of that group has changed significantly in the last decade.

And the web of trust doesn't change this one iota; if, instead of "corporate control", you had to have a signature from a PyPI operator or someone they've trusted, you're in exactly the same position, since the PyPI operators are also a group of people who can leverage that trust to abuse you.

Fundamentally, what you're saying is that you're scared that a group that you've chosen to trust becomes untrustworthy in the future; and without some form of ability to see the future, there's no way to see whether that will, or will not, happen.

Evil corporations

amarao — Thu, 24 Oct 2024 09:52:29 +0000

What is preventing Microsoft chaning CEO again? I look on some opensource projects and I see how pure hostility toward opensource community appears out of nothing (Hashicorp, Redis, Mongo, etc). There is not a single argument to declare that Microsoft is different then any other company.

This discussion is not about 'how bad Microsoft is', it's about replacement of true web of trust, build out of people and people trust to each other, with corporate entity, which now looks like a friend, but have 'profits' written as a goal in their memorandum of association.

If Microsoft hate sounds like a 'Linux revenge', replace Microsoft with any corporate entity. Who is the current angel in heavens? Cloudflare. Let's say it will be delegated to CF. It is the same. Now CF is the friend, but nothing preventing them from leveraging it for achieving their legal obligation toward shareholders: make profits.

Whole thread and my clamor is not about specific company, but a fact, that web of trust is been replaced with commercial companies as gatekeepers.

Evil corporations

farnz — Thu, 24 Oct 2024 09:25:07 +0000

Note that extrapolating from Microsoft of more than 10 years ago to Microsoft of today isn't reasonable, since 10 years ago, it changed both its CEO and its chairman - the two most senior leadership positions. It is very easy to believe that this major change in leadership, which was driven by the failure of the previous leadership to win in the market for phones and cloud computing, has completely changed Microsoft into a different company.

Hating on Microsoft because of how it behaved under previous leadership is like cheering on the SCO Group in its lawsuit against IBM because someone's taking on the bullies at Big Blue. There's no shortage of historically evil behaviour in IBM's past, but the company has changed direction since then.

Evil corporations

raven667 — Thu, 24 Oct 2024 04:34:46 +0000

This envisions a level of thinking, planning, foresight and control that I don't think any living human actually has, let alone the executives who actually run big companies. Do you really think these people are smart enough to pull off what you describe? Have you seen them actually speak? Without some pretty clear evidence these kinds of conspiracies just don't exist, there are technical issues and maintenance issues and incentives but not multi-year plans for ...*evil*...

Evil corporations

bluca — Wed, 23 Oct 2024 20:57:47 +0000

Please see https://lwn.net/Articles/995249/

Evil corporations

amarao — Wed, 23 Oct 2024 19:14:44 +0000

The main problem with accepting 'help' from Microsoft here is that its aim is to replace the existing community-based trust system. It took decades to build the existing network, and thousands of signing parties to get it.

If we follow Microsoft's offer to swap the web-of-trust model for their auth provider (which it is, essentially), a few years later we will get to a situation where the web-of-trust is in decay (and unused).

Can you predict if Microsoft will be a 'friend' 10 years later? Exactly at the time when the last crumbs of the GPG network are removed. Won't it be the perfect moment to move from 'extend' phase to 'extinguish'? How about updating T&C to forbid certain types of activities under their auth provider? What if those forbidden activities include reverse engineering for a new protocol or a new filesystem, or, I don't know, a new proprietary communication protocol between AIs? It is forbidden, accounts are deactivated, and distributions won't 'revive antique GPG' just to support a couple of 'banned' projects.

Is it too absurd to imagine? Especially the 'extinguish' phase? Moreover, I don't think MS here is any better or worse than any big corporation. A corporation gets leverage, a corporation uses leverage to gain even more leverage.

Evil corporations

bluca — Wed, 23 Oct 2024 19:01:07 +0000

All of that, and even more: there can be many reasons corporations do things, and especially in engineering-led organizations whether or not there are groups of _motivated_ engineers pushing in a determinate direction sometimes matters a lot. Say for example, pushing toward embracing open source and Linux.

Evil corporations

corbet — Wed, 23 Oct 2024 14:02:50 +0000

I think I can understand where bluca is coming from. If I understand, he is seeing people trash his employer for its behavior over 20 years ago, feels that the company he is working for now is different, and would like the trashing to stop. It must not be fun to be told repeatedly that you are a minion of the Evil Empire.

For the moment, Microsoft appears to be our friend. Tomorrow could be another story, but that is true of every company that works with our community. Corporations are best seen as amoral entities that are only one bad quarterly report away from a complete change of behavior. Corporate support makes all the difference, but we don't want to become too dependent on any of them.

Insecure dev machines.

raven667 — Wed, 23 Oct 2024 13:44:18 +0000

I think there are a number of LWNers who happen to work for big companies like MS, Oracle, Google, FB, IBM, etc. which are the subject of various conspiracy theories and accusations of bad faith, who themselves are sometimes the originator or work on the systems people have conspiracy theories about and take these accusations of bad faith personally because they are the one being referred to, or they personally know who is being referred to, and take offense when they believe they are operating in good faith for the betterment of their project and users.

Call it like you see it (some initiatives are cynically motivated), but don't be surprised if someone's offended or you get pushback.

Insecure dev machines.

amarao — Wed, 23 Oct 2024 09:21:38 +0000

Is your comment polite, respectful, and informative?
Are you saying something new that extends the conversation?

Insecure dev machines.

bluca — Wed, 23 Oct 2024 09:12:55 +0000

Can we please keep the dumb conspiracy theories from the 90s confined to newsy, reddit and other such low-quality forums? Thanks