undefined | Better HN

0 pointscloudhead2y ago0 comments

That's not quite right, we solved this in Radicle. Each change in ownership (adding/removing maintainers) is signed by the previous set of owners. You can therefore trace the changes in ownership starting from the original set, which is bound to the Repository ID.

0 comments

mariusor2y ago

Sure, but again, you've added convenience - or what you feel like it's convenience - for something that probably can be achieved right now with open source tools. A "CONTRIBUTORS" file with sign-offs by maintainers is an example of a solution for the same thing.

I don't deny that your improvements can benefit certain teams/developers but I feel like there are very few people that would actually care about them and they're not making use of alternatives.

cloudheadOP2y ago

A CONTRIBUTORS file is easy to change by anyone hosting the repository - it's useless for the purpose of verification, unless you have a toolchain to verify each change to said file. "Sign-offs by maintainers" it not useful either unless you already know who the maintainers are, and you are kept up to date (by a trusted source) when the maintainers change. This is what Radicle does, for free, when you clone a repo.

mariusor2y ago

All good points, but now you moved the trust requirement from me having to trust the people working on the code, to me having to trust the tool that hosts the code. I'm not convinced your model is better. :P

3 more replies

MatthiasPortzel2y ago

How do I verify the “original set”, or the Repository ID, if not out-of-band communication (like a project’s official website)? And then what advantage does this have over the project maintainer signing commits with their SSH key and publishing the public key out-of-band?

I think there’s room for improvements in distributed or self-hosted git, but I think they exist more in the realm of usability than any technological limitations with the protocol. Most people don’t sign git commits because they don’t know it’s possible—not because it’s insecure.

cloudheadOP2y ago

The repository id can be derived via a hash function from the initial set of maintainers, so all you need to know is that you have the correct repository id.

The advantage of this is that (a) it verifies that the code is properly signed by the maintainer keys, and (b) it allows for the maintainer key(s) to evolve. Otherwise you’d have to constantly check the official website for the current key set (which has its own risks as well)

georgyo2y ago

I'm not sure how any of this solves the problem.

If I am on the internet there is no key or keys that I could definitively say came from the _real_ maintainers. I need to trust some source or sources for that.

In your model, committing to the repo requires a private key. This key claims ownership of the repo. If that key is lost or stolen I have lost ownership of that repo. With no out of band method to recover it.

If that key is unknowing stolen, ownership is switched to a new key, this is a pretty bad scenario.

Basically, I still always need to go to some other out of band source to verify that bad things have not happened.

1 more reply

anonymousDan2y ago

It's seems to me that for security reasons it might be a good idea to support separate signing keys for normal commits and commits that change the ownership set. This would allow you to keep the ownership change keys offline under the assumption they are rarely used. This is something PoS cryptocurrencies tend to do by having a separate withdrawal key for accessing stake to the signing key used for block proposals, attestations etc.

cloudheadOP2y ago

Interesting idea, thanks!

bawolff2y ago

How do you know the repository id is the correct one?

You have just changed the requirement from knowing the maintainers public key, to knowing a different public key. Sounds pretty much the same problem to me.

cloudheadOP2y ago

The difference is that the repository id is stable, while the maintainer keys can change.

bawolff2y ago

Except repository ids change when the repo is forked.

1 more reply

e12e2y ago

How do you fork an abandoned repo?

cloudheadOP2y ago

When you fork an abandoned repo, you are essentially giving it a new repository identity, which is a new root of trust, with a new maintainer set. You'll then have to communicate the new repository identifier and explain that this is a fork of the old repo.

j / k navigate · click thread line to collapse

0 comments

mariusor2y ago

I don't deny that your improvements can benefit certain teams/developers but I feel like there are very few people that would actually care about them and they're not making use of alternatives.

cloudheadOP2y ago

mariusor2y ago

3 more replies

MatthiasPortzel2y ago

cloudheadOP2y ago

The repository id can be derived via a hash function from the initial set of maintainers, so all you need to know is that you have the correct repository id.

georgyo2y ago

I'm not sure how any of this solves the problem.

If I am on the internet there is no key or keys that I could definitively say came from the _real_ maintainers. I need to trust some source or sources for that.

If that key is unknowing stolen, ownership is switched to a new key, this is a pretty bad scenario.

Basically, I still always need to go to some other out of band source to verify that bad things have not happened.

1 more reply

anonymousDan2y ago

cloudheadOP2y ago

Interesting idea, thanks!

bawolff2y ago

How do you know the repository id is the correct one?

You have just changed the requirement from knowing the maintainers public key, to knowing a different public key. Sounds pretty much the same problem to me.

cloudheadOP2y ago

The difference is that the repository id is stable, while the maintainer keys can change.

bawolff2y ago

Except repository ids change when the repo is forked.

1 more reply

e12e2y ago

How do you fork an abandoned repo?

cloudheadOP2y ago

j / k navigate · click thread line to collapse