Ubuntu needs a new development model

Thu May 6 20:23:52 UTC 2010

On Thu, May 6, 2010 at 4:07 PM, Dmitrijs Ledkovs
<dmitrij.ledkov at ubuntu.com> wrote:

> http://en.wikipedia.org/wiki/Web_of_trust
>
> The thing that all packages in debian rely on to prove that they are authentic?

He said easier to trust PEOPLE.  Look at the PGP web of trust, people
with dozens or hundreds of signatures on their PGP public keys.  When
I was using GPG for a year to sign my e-mails, I re-downloaded my
public key from the key server and had found that some 15 or so people
that I'd never heard of had signed my key.

Your first response to this is going to point out that Ubuntu could
trust only keys signed with keys that themselves are signed with an
Ubuntu Master Key or some such; so maybe Martin's key is signed by
Canonical, Inc and Martin signs your key, so you're valid.  You sign
another key, that is still called "untrusted."  Thus, we don't have
the crazy uncontrolled mess described above.

Which brings us back to trusting people.

Out of the hundreds, thousands of people that you want to incorporate
into your trust hierarchy, how do you determine which can be trusted?
Who is talking their way through you, showing good work, uploading
hundreds of excellent packages with stopgap patches or well-requested
features and things that won't go into Main or will go in later; but
in secret, really waiting for a good time to slip malware into a
package?

It doesn't have to be patches they wrote; could be a -ck kernel or a
kernel with a piece from -mm, or a patch onto Gimp that's gained
popularity but nobody felt fit to pay attention to, or any other
3-seconds-of-work patching process.  More than 3 seconds?  Oh, this
one I hit a bump with, I think I'll just discard it; I've got plenty
of other "work" to show.

The smoke and mirrors is a bit complex; but we're talking about a
threat that essentially amounts to "someone wrote, compiled, packaged,
tested, and uploaded a piece of malware to a repository they needed
special permission to join."  This is not a fat businessman pushing
the "SPAM THE WORLD" button.

Every time someone suggests finding a way to trust people more (or in
this case, trust more people), God laughs at them.  A lot.  The only
way to fully trust an individual is to hang a camera and a turret
above his head constantly, and even then you can't be sure; the only
way to improve how much you can safely trust someone is to devote
resources to learning about them on a personal and technical (i.e.
background check) level.  When you add hundreds of developers or just
random people to a project, with direct access, you WILL have
problems, and you WILL hand access to people who desperately don't
need it.  This is why the Linux Kernel has 30,000 developers and all
of 1 or 2 people with commit access (Linus and who else?  Drepper and
Andrew maybe).