Russ Allbery <rra@debian.org> writes: > Simon Josefsson <simon@josefsson.org> writes: > >> I think that is not the only possible scenario -- another one that I >> find at least reasonable, if not more likely, is that anyone who >> considered volunteering to implement this soon realized that there are >> fundamental aspects that would need to be addressed first, raised those >> concerns, did not find sufficient support or interest to address or talk >> about the concerns, and started to work on improving those issues >> elsewhere (if they at all cared to pursue it further, demotivation is a >> factor too). > > Sure, I intended to include that in "not in a position to do that work." > Missing prerequisites is one of the reasons why someone may not be in a > position to do that work. Ah, I didn't realize the pool for volunteers you consider only include those who are in a position to do the work. That is a small and probably rather busy set of people, and I couldn't blame them for not having time to implement everyone's pet wish. That to me suggests a systematic concern: that it is not possible to volunteer to do some work, and that it has to be performed by people who are in the right position. >> (I guess the reference to "you" is not directly meant to me, but someone >> else? I don't recall bringing up ISO 27k before and personally I find >> such certifications, like FIPS, generally more harmful than useful. >> Some parts of ISO 27k bring up important topics, but you can become ISO >> 27k certified without really adressing the problems, and some of the >> topics they bring up may imply worse technical solutions.) > > No, I mean you, but I was talking about the "I would disagree that Debian > would not be improved by further documentation and transparency work" part > of your message. You have been making this point for some time, and still > seem unhappy with the current state, so I assume that the basic problem is > lack of volunteer resources. That may include resources to work through > whatever underlying concerns people may have uncovered and figure out how > to address them within Debian's structure; that is, indeed, part of that > work. My point is that I don't think anyone is *opposed* to "further > documentation and transparency work." There are just a lot of things to do > in Debian and people work on the things they think are important or enjoy. The last sentence is certainly true. However I see some opposition to allowing people to do transparency work. Trixie could have shipped with the 'apt-verify' package that would have allowed users to ALSO verify upgrades using Sigstore or Sigsum, or other mechanisms. It would not have degraded or affected PGP verification, which would still be effective. It would not do anything for users that didn't install the apt-verify package. But the apt team added a 'Conflicts: apt-verify' to apt, effectively making 'apt-verify' uninstallable, and attempts to resolve the dispute has not lead anywhere. Definitely 'apt-verify' has limitations and is not a perfect solution, but at least it allows opt-in experimentation and some progress in this area. I've been using it on some of my machines for over a year, protecting upgrades through Sigstore transparency-logged signatures. /Simon
Attachment:
signature.asc
Description: PGP signature