Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils)

[Ludovic Courtès]

Hi,

Skyler Ferris <skyvine@protonmail.com> skribis:

> In short, I'm not sure that we actually get any value from checking the 
> PGP signature for most projects. Either HTTPS is good enough or the 
> attacker won. 99% of the time HTTPS is good enough (though it is notable 
> that the remaining 1% has a disproportionate impact on the affected 
> population).

When checking PGP signatures, you end up with a trust-on-first-use
model: the first time, you download a PGP key that you know nothing
about and you authenticate code against that, which gives no
information.

On subsequent releases though, you can ensure (ideally) that releases
still originates from the same party.

HTTPS has nothing to do with that: it just proves that the web server
holds a valid certificate for its domain name.

But really, the gold standard, if I dare forego any form of modesty, is
the ‘.guix-authorizations’ model as it takes care of key distribution as
well as authorization delegation and revocation.

  https://doi.org/10.22152/programming-journal.org/2023/7/1

Ludo’.