Comment by lrvick
2 years ago
If a Github account was compromised, the attacker would still be unable to sign with the key that user has historically used. If all that was done was pin keys of developers and sound alarm bells if the key changes or changes revert to being unsigned, then this is still of significant value as a first step.
I agree most of the value of signing happens if we establish a web of trust with signed keys of known developers with a history of behaving non maliciously -and- also have signed code review by people in the same trust network to limit risk of coercion, or malware stealing yubikey taps on an endpoint.
Also, saying they are lazy about security is unfair. They just invested in areas of security most distros ignored, but sadly at the expense of the security most distros get right. The regression feels irresponsible, but as I said in my other post maybe we need to separate concerns between the AUR-style rapid development expression repohsitory and a new separate one select packages graduate to that have web of trust with well known maintainer/reviewer keys.
I could get behind that.
No comments yet
Contribute on Hacker News ↗