[lrvick]

So you are saying that the solution is that we go to the majority of active and reputable PGP keyholders, Linux maintainers, and tell them to stop signing the binaries that run the internet, and just yolo, because that worked so well for NPM?

I really hope I am misunderstanding you.

[akerl_]

Yes, you’re misunderstanding me.

I’m saying several things, but since you’re really focused on Linux package signing, I’m saying about that: PGP is a bunch of theatre there and distros should use minisign instead.

Linux package signing is a great example of where PGP is goofy. Users of Linux distros get their root of trust by downloading a keyring from the exact same place they download the distro ISO. To a rounding error, no users are checking a trust path from them to a distro maintainer, nor does the trust path between one maintainer and another matter.

Distros are themselves centralized entities. They already run bug trackers and forums and centralized package repos that necessitate an authentication system.

So PGP effectively becomes a clunky behemoth whose output is just “every package has a signature that is checked against a centrally curated set of keys that get shipped around to users”.

Moving to minisign would be a strict improvement.

[lrvick]

> PGP is a bunch of theatre there and distros should use minisign instead.

Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Minisign is strictly worse in every way. Your camp will never convince Linux maintainers to switch with this pitch.

Many of us actually do verify the web of trust, extensively. I have many Linux maintainers in my own keychain independent from their usage in linux distros. Minisign has no such key distribution and accountability system.

[akerl_]

> Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Yes, all of that.

[lrvick]

At this point I can only conclude you are a troll, but if you are actually serious, I challenge you to prove it. I put in the work in the community for my side of this debate.

I would suggest you pick one of the mainline Linux distros that relies on PGP and make a detailed RFC with a plan to downgrade their security to your non standard minisign/ssh solution with private keys exposed in system memory as you propose, and make a convincing case why it is worth it and what advantages they get for doing so.

Let me know if you do. I am sure it will be a great case study.

[akerl_]

Thankfully OpenBSD did my work for me:

https://www.openbsd.org/papers/bsdcan-signify.html

[lrvick]

So 0.1% of the internet is protected by Ed25519 signatures because of this move. Meanwhile PGP has had Ed25519 support for years, with hardware security key support.

OpenBSD does fantastic work, but you and I both know it will never have any significant adoption on the web at this point.

Try to convince an actual Linux distro running any significant portion of the web they should stop using Ed25519 via PGP smartcards and use Ed25519 via signify exposing their keys to system memory (and thus malware) instead, with no key discovery protocol, for unspecified reasons.

Would love to see a threat modeling case for that.

At this point you have shown your hand. You hate PGP so much you would make security for everyone worse to get rid of it. There is no reasonable threat model to support your position.