Re: Keysigning in times of COVID-19
On Thu, Aug 6, 2020 at 5:40 PM Roberto C. Sánchez <roberto@debian.org> wrote:
> Perhaps instead of requiring "a valid DD signature" as the basis for
> "important" project actions (e.g., uploading to the archive), we should
> consider rather "degree of trust associated with a collection of one or
> more signatures".
Forking the conversation a bit, I'm wondering what is the real threat
that we want to mitigate.
I guess the main one is: "a malicious DD uploads a package containing
a backdoor"
I propose a crude risk metric for uploads that can be generated and
used automatically:
Risk multipliers:
- Package popcon: a backdoor in a popular packages has higher impact
- Change size in SLOC: makes it easier to sneak in a backdoor
- Is it a binary upload?
- Is it a NMU? Is it the first NMU of such DD against such package?
- Is the uploader a DD or DM?
Risk dividers:
- Number of signatures on the uploader's GPG key
- Number of days since the uploader's NM process (can make the
malicious DD way less effective)
- Number of packages maintained by the uploader (perhaps?)
- NMU delay in days (perhaps?)
Very high-risk uploads could require an approval from a second DD.
As an added benefit, this makes our workstations and GPG keys less
interesting targets for attackers.
It could make DDs less likely to be coerced by legal means, work
pressure, or other.
Perhaps it might also simplify the progress between sponsored
maintainer -> DM -> DD and
encourage good practices.
Any risk equation can be debated endlessly... but it seems like an
improvement over what we have.
Thanks!
--
Federico
Reply to: