On Thu, Oct 10, 2024 at 09:13:38PM +0200, Matěj Cepl wrote:
Python developers started to discuss PEP-761 [1], which is about stop signing Python release tarballs with GPG and switching to sigstore. The discussion on discuss.python.org [2] grew to rather large one, including Fedora and openSUSE maintainers strong opposition to using Python-based sigstore and prefering compiled version [3] and requiring offline verification [4] (also supported by the Gentoo maintainer [4]). Hopefully there is also alternative Go client [5]. Similar discussion started on Debian Python list [6].
The thing which runs through my mind is whether we as whole openSUSE don’t want to switch to sigstore for security of our packages as well. What do you think?
Hello, if I understand this correctly intead of decentralized GPG infrastructure sigstore is a centralized service. While individual developer have varying awareness of good security practices and their keys get compromised from time to time this is replaced by central keystore that is one huge target for all attacks. This is a nice example of diseconomy of scale. While individual developers are not particularly difficult to attack the reward for compromising one developer key is low. This single point of failure is much more rewarding target, and while they may have better security practices than the average Joe Coder the attacks that they need to fend off will likely be way more common and more sophisticated as the service becomes more important. There is nothing 100% reliable, think of what will happen when the sigstore service fails, and what the failure modes could be: - DoS making it and the certificate registries unavailable - compromise that is discovered immediately but requires full rebuild of the service and user account data - compromise that is not discovered immediately and puts all software signed by sigstore in past weeks/months into question While the service aims at mitigating 'typo squatting' AFAICT it in fact blesses typo squatters with a veneer of 'cryptographic validation'. With all keys ephemeral and only tied to any package release by the metadata provided by the service anyone can generate a key for their typo squat release. After there has been a lot of talk on how the central package repositoris like NPM and the python and rust equivalents are single point of failure for the respective ecosystem (left-pad anyone?) as well as rewarding targets for low-tech attacks, the ansswer is: make more critical services centralized. What could possibly go wrong? This push towards centralization kind of rests on the 'messiah' rhetoric along the lines 'Individual users cannot be trusted to do/decide this themselves, we will do it for them'. Compare with gnuk project that makes key storage affordable, reasonably secure for individual use, and intelligible to the general user. https://blog.danman.eu/2-usb-crypto-token-for-use-with-gpg-and-ssh/ Thanks Michal