[Nix-dev] Announcing: NixOS Security Team, and Request for Comments

[Colin Putney]

On Fri, Jan 6, 2017 at 11:01 AM, zimbatm <zimbatm at zimbatm.com> wrote:

> In relation to GPG key signing, I think it's safe to trust online
> identities it they are established trough enough channels. That's basically
> what keybase.io is doing, they are a point of contact but the proof of
> identity is distributed on multiple services. Personal verification is just
> another target.
>
> Someone who would want to subvert that process would have to Impersonate
> all these services through MITM and also maintain that in place if the user
> is moving between connections (and somehow not trigger chrome's certificate
> monitoring).
> As far as I know only state actors might be able to pull that off. But
> they also have access to zeroday to hack and extract the private key
> directly which seem more practical to me.
>
> Anyways, it's good that you want to be careful, that's just my thinking.
>
In this context, we don't actually care about identity much. If @rbvermaa
has a passport that says something other than "Rob Vermaas", it doesn't
really matter. What does matter is that we trust the person who committed
so much good code. To that end, maybe the security team should add their
keys to some file in the repository, and then cross-sign from a checkout.

Colin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170106/144ce0c1/attachment-0001.html>