[arch-general] usbguard package neglected

Eli Schwartz eschwartz at archlinux.org
Tue Oct 27 02:45:51 UTC 2020 

On 10/26/20 10:36 AM, arch user via arch-general wrote:
> Sorry for the late answer but I had a second thought about it recently
> and have found several reasons why to update USBGuard anyway:
> 
> 1) It is open source. If there are trust issues one can look at the
> source code and check what has changed between versions.

Doing a security audit is expensive and time consuming. Not doing a
security audit means "look at the source code and see what changed"
accomplishes nothing whatsoever -- we know there are changes or there
would not be a new version, but can you prove there are no hidden back
doors?

> 2) Developers of other packages don't ever sign their commits so they
> don't have a chain of trust at all. While a broken chain of trust might
> be a step backwards, it is still equivalent to having none.

Absolutely not at all.

Projects that never signed their software are like people who live in a
neighborhood where no one locks their front door, because it's too much
work to fiddle with a door key.

Projects with a a broken chain of trust are like that one person who
*does* lock his front door, but one day the lock got ripped off the door
and replaced by a gaping hole. It is hugely suspicious and everyone
walking down the street has good reason to notice and suspect a robbery
occurred.

Now, it's *possible* the owner lost his key and destroyed his own front
door in order to get back into his own house. But is it likely?

You could ask him, but he's a recluse slash internet person, so you're
not really sure what he looks like. The guy wandering around inside the
house might be the owner, but he might also be a thief... what do you do?

> 3) Other Linux distributions have updated the package as well. This
> might seem like a weak reason but if I think about it, I find that it
> resembles some kind of peer review.

... apparently you say "oh, I guess you're the owner then, sorry to
bother you. BTW you should probably fix your door because it looks weird
now. No pressure."

That's indeed weak. What kind of peer review are you claiming this is,
exactly?

...

The point of a signing key is to say "this key certifies the correct
software and I commit to using it. Anything else is automatically
suspect as malware".

You don't immediately respond by saying "well it came from the same
website and some unverified source told me the key totally got lost but
it's fine. So let's blindly click accept".

It doesn't matter if other distros are okay with that. Arch Linux is not.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20201026/e605f270/attachment.sig>

More information about the arch-general mailing list