The PGP problem sounds super similar to the complaints about Javascript. It sucks, no one likes it, so of course we’re going to use it forever and it’ll be ubiquitous until the end of the...
The PGP problem sounds super similar to the complaints about Javascript.
It sucks, no one likes it, so of course we’re going to use it forever and it’ll be ubiquitous until the end of the internet.
We should spend our effort focusing on how to minimize the damage.
Well, you do....it's just that your Web of Trust is that list of big corps across the top. Every signing method is a Web of Trust. Just the methods are different. You can trust self-signed certs...
it require you to do the Web Of Trust rigamarole
Well, you do....it's just that your Web of Trust is that list of big corps across the top. Every signing method is a Web of Trust. Just the methods are different. You can trust self-signed certs by adding them to to the systems you use. I won't dispute that PGP has been superseded by far better techs (including SSH keys). But for web certs, you're essentially just doing the same 'I generate a private/public keypair and somebody signs it with some degree of authority.'. I don't know the exact details of sigstore, but the initial pitch sounds a lot like 'Let's Encrypt certs, but different for the sake of being different.'
I am using and trust Signal a lot more than most of the alternatives, although I'd feel much better if there was a robust 3rd party ecosystem. Less complex than Matrix ideally.
Sigstore, as used by PyPI and PEP 470, which is what the author gives as an example, is even worse. It's not just that your web of trust must include big corporations. In order to use it, you must...
I don't know the exact details of sigstore, but the initial pitch sounds a lot like 'Let's Encrypt certs, but different for the sake of being different.'
Sigstore, as used by PyPI and PEP 470, which is what the author gives as an example, is even worse. It's not just that your web of trust must include big corporations. In order to use it, you must delegate package uploads and your binary package build process to one of four, for-profit companies: Microsoft, Google, ActiveState, or GitLab. Proponents will argue that, in principle, other organizations could be added, and these are only the initial ones, but in practice, that often amounts to nothing.
It's a bit odd to see someone start out their post with vaguely anti-capitalist, or at least anti-corporate, comments, and then proceed to promote a process that moves control of signed packaging entirely into the control of a handful of companies.
Meanwhile, Signal, while I use it extensively, would seem quite limited for security reports. It's essentially a phone instant messenger. It doesn't have any of the features that might be needed for something beyond a small personal project with one maintainer.
For Signal, I think that's fine in the abstract. It being a non-profit already puts it ahead of most of the alternatives. But as you describe it, yea Sigstore sounds pretty bad as an...
For Signal, I think that's fine in the abstract. It being a non-profit already puts it ahead of most of the alternatives.
But as you describe it, yea Sigstore sounds pretty bad as an ecosystem-wide mandated solution.
The PGP problem sounds super similar to the complaints about Javascript.
It sucks, no one likes it, so of course we’re going to use it forever and it’ll be ubiquitous until the end of the internet.
We should spend our effort focusing on how to minimize the damage.
Well, you do....it's just that your Web of Trust is that list of big corps across the top. Every signing method is a Web of Trust. Just the methods are different. You can trust self-signed certs by adding them to to the systems you use. I won't dispute that PGP has been superseded by far better techs (including SSH keys). But for web certs, you're essentially just doing the same 'I generate a private/public keypair and somebody signs it with some degree of authority.'. I don't know the exact details of sigstore, but the initial pitch sounds a lot like 'Let's Encrypt certs, but different for the sake of being different.'
I am using and trust Signal a lot more than most of the alternatives, although I'd feel much better if there was a robust 3rd party ecosystem. Less complex than Matrix ideally.
Sigstore, as used by PyPI and PEP 470, which is what the author gives as an example, is even worse. It's not just that your web of trust must include big corporations. In order to use it, you must delegate package uploads and your binary package build process to one of four, for-profit companies: Microsoft, Google, ActiveState, or GitLab. Proponents will argue that, in principle, other organizations could be added, and these are only the initial ones, but in practice, that often amounts to nothing.
It's a bit odd to see someone start out their post with vaguely anti-capitalist, or at least anti-corporate, comments, and then proceed to promote a process that moves control of signed packaging entirely into the control of a handful of companies.
Meanwhile, Signal, while I use it extensively, would seem quite limited for security reports. It's essentially a phone instant messenger. It doesn't have any of the features that might be needed for something beyond a small personal project with one maintainer.
For Signal, I think that's fine in the abstract. It being a non-profit already puts it ahead of most of the alternatives.
But as you describe it, yea Sigstore sounds pretty bad as an ecosystem-wide mandated solution.