Fork me on GitHub
#boot
<
2016-09-11
>
xcthulhu16:09:06

@keatondunsford I'm a digital currency consultant myself - I wrote the mining algorithm with Vitalik for Ethereum back in the day.

xcthulhu16:09:11

I honestly found the audicity of claiming the thing is "Web 3.0" rather pretentious, but yeah, Ethereum is in general pretty cool.

keatondunsford19:09:45

@xcthulhu That’s awesome! Hey, being pretentious is cool so long as you’re right. 😉 Which it’s starting to seem like y’all are. The progress has been amazing.

danielcompton20:09:00

Hey folks, I’m a Clojars admin, along with Toby, just wanted to clear up a few things about Clojars

danielcompton20:09:01

1. JAR deletions are an entirely manual process from Toby or I. Our policy is here https://github.com/clojars/clojars-web/wiki/About#how-do-i-delete-a-jar, but we have a different take on things to NPM. Deletions happen for three main reasons: 1. Someone pushed private info/private JAR, 2. Security issues with a JAR (e.g. a hacker pushed a JAR which takes over people’s computers), 3. People accidentally pushed a JAR and there have been few if any downloads.

danielcompton20:09:16

We wouldn’t delete a ‘spam’ jar like FS

danielcompton20:09:35

And we wouldn’t delete any JAR that had any significant number of downloads

danielcompton20:09:45

"Don’t break the build” is the motto

danielcompton20:09:19

2. There are some security mechanisms in place to detect modified JARs (say someone hacked the server and replaced a bunch of JARs with malicious code). Not sure how much I can say about this at the moment

danielcompton20:09:52

3. JAR signing is very much on our radar, would be super keen to have input from y’all on https://github.com/clojars/clojars-web/issues/560

micha20:09:34

i don't see how GPG can be a good solution there

micha20:09:54

it only handles the crypto part, but doesn't have any way to address the trust part

micha20:09:22

the machanics of signing jars can be paved over in boot/leiningen tasks pretty easily i think

micha21:09:22

the fundamental problem is given a jar that is verified to be signed with a specific key, how do i know whether to trust that key?

micha21:09:08

the only way i can imagine right now is to get a real certificate from a recognized certificate authority, like verisign or whatever

micha21:09:22

and this is an investment of time and money for each developer

micha21:09:34

basically like what you see with android and ios development

micha21:09:46

i really don't see any feasible alternative

micha21:09:48

as it is today gpg signatures are of questionable value

danielcompton21:09:49

4. There used to be two repos on Clojars: a free for all, and a signed repo. You would promote JARs from free for all to signed, but as has been discussed before, there was no meaningful security benefit for signing the JARs without a web of trust

danielcompton21:09:11

GPG signatures by themselves are of questionable value, totally agree, unless you can get a web of trust bootstrapped

danielcompton21:09:28

So keybase seems like it may be able to help there

micha21:09:42

their whole thing is built on npm though

micha21:09:48

i don't trust it

danielcompton21:09:50

what do you mean by ‘built on NPM’?

micha21:09:04

when i installed the client it was a nodejs program

micha21:09:24

used npm to install stuff

micha21:09:13

my concern is what third party node libraries are they using in there

micha21:09:16

stuff like that

danielcompton21:09:11

looks like they’ve switched over to Go anyway

micha21:09:22

also i don't really see the overall purpose there

micha21:09:35

like how does social media accounts really relate to trust?

danielcompton21:09:02

Lets you tie your github account to your identity

micha21:09:07

how is this better than using a professional CA that is legally responsible in court for their security?

micha21:09:19

i don't know about how secure github and twitter are, and their security totally hinges on the security of their SSL certs

danielcompton21:09:21

it might not be, could you describe what the mechanics would be for using a professional CA? All devs have to get a certificate from a CA which they sign JARs with?

micha21:09:55

yes, exactly

micha21:09:26

like what you do with android or ios packages

danielcompton21:09:35

and in that cert, they have all of the groupID’s that they can sign for?

micha21:09:55

presumably, yes

danielcompton21:09:17

It all hinges back down to bootstrapping trust. How would a CA verify a developers identity? It’s relatively simple to verify if someone controls a site, you can check the site. Not sure what it would mean to verify their identity

micha21:09:53

they do this all the time, know your customer stuff

danielcompton21:09:12

like send your ID in?

micha21:09:40

yeah, they know how to do it

micha21:09:48

i mean CAs are a thing

danielcompton21:09:54

Can they do it for something that isn’t a website though?

micha21:09:55

not a new idea at all

danielcompton21:09:04

That on it’s own doesn’t address WOT though, anyone can sign a JAR for anyone elses code no?

micha21:09:50

i don't think so, you need to specify the organization info when you apply for a cert, no?

danielcompton21:09:02

All of the pages I can see about getting a CA cert for JAR signing seem to talk about it in the context of a desktop app, where Java will pop up a window saying “This app is signed by Acme Corporation Ltd, do you want to trust it?”. I don’t see anywhere https://search.thawte.com/support/ssl-digital-certificates/index?page=content&amp;id=AR185&amp;actp=search&amp;viewlocale=en_US about entering a package name or group ID for signing

danielcompton21:09:13

this all sounds promising anyway, would you be able to write up your proposal on that GH issue?

danielcompton21:09:22

thanks for the good discussion!

micha21:09:27

sure, see you later!

juhoteperi21:09:11

Btw. One problem with Keybase I think is that it deals with personal keys mostly

juhoteperi21:09:24

What about companies and other groups making software?

juhoteperi21:09:03

(At Metosin currently the packages are signed by one making the release, but that is bad way, we will probably setup a CI which signs everyhing using one key)

micha21:09:43

yeah it seems to me that what you need is a way to match a crypto signature to a real human being who is responsible for that key

micha21:09:14

or a company, naturally

juhoteperi21:09:29

My co-worker has done some work recently for checking signatures

juhoteperi21:09:58

(he's probably sleeping already :D)

micha21:09:28

is the problem not already solved in the mobile app world?

micha21:09:53

iirc when making an android app we had to get a cert for our group id basically

juhoteperi21:09:47

https://github.com/miikka/lein-pinkeys <- a tool to pin the keys of package so that you notice if the key changes between versions, this helps a bit even without WoT

juhoteperi22:09:37

http://vapaus.org/varpushaukka/feed.xml <- a report from list of packages about status of signature

micha22:09:51

with transitive dependencies though it gets too complex to do hacks

juhoteperi22:09:13

How can certs be validated if they don't correspond to a domain?

juhoteperi22:09:35

Hmm, the common name is the group id?

micha22:09:41

like with SSL the cert must match some well-known request metadata (the domain)

micha22:09:51

with jars you'd have the class names

micha22:09:59

each class would need to be signed or something

micha22:09:13

that's what i got from the java tutorial there

micha22:09:19

you have the sigs in the manifest

micha22:09:33

and i think the jvm handles it from there

juhoteperi22:09:47

but what data would you use when you create the cert request?

micha22:09:57

the package root i suppose

juhoteperi22:09:01

Or group id?

micha22:09:03

like com.my.company

micha22:09:19

then i can sign classes with names like com.my.company.myapp.Widget

juhoteperi22:09:31

Yeah but that is not something you use with Clojure

juhoteperi22:09:13

Doesn't matter, it is not used currently and people won't start using it "just for security"

juhoteperi22:09:35

Solution has to be something that works with currently libs

micha22:09:37

i dunno what to say about that 🙂

micha22:09:00

current libs are not in any way trustworthy

juhoteperi22:09:29

It would be really hard to convince everyone to change package names (or namespaces)

micha22:09:38

well not everyone would do it

juhoteperi22:09:38

Maybe I'm pessimist

micha22:09:43

and that's fine

micha22:09:03

but if i am concerned about my customer data i won't use the non-signed jars

micha22:09:33

so i'll carefully inspect the ones i need and self-sign them internally if i must

micha22:09:39

or something like that

juhoteperi22:09:09

I would hope it can be solved in a way that it is so easy to setup that nearly everyone would use it

micha22:09:31

seems pretty important to have an area for professionals as well as one for open source

micha22:09:48

for when correctness and security really matter

micha22:09:22

it's pretty scary how much trust is put in software that nobody knows wtf it's really doing

juhoteperi22:09:08

And some Clojure libraries bring in crazy amount (or crazy large) transitive dependecies

micha22:09:18

if the thing is signed by a legit entity you can at least sue in court

micha22:09:26

if malicious code is injected

juhoteperi22:09:34

If a library includes 40MB (uncompressed) classfiles, there is not way to know what it does

micha22:09:51

and then our customers trust us with their secrets

micha22:09:07

maybe it's the job of the repository?

micha22:09:27

like the repo pledges to know every human who uploads jars

micha22:09:41

and maybe provides certs etc

juhoteperi22:09:01

Is there a separate channel for this yet? I only read the discussion from point when Daniel joined here

micha22:09:13

yeah there should be one

micha22:09:27

i don't thin there is one yet

juhoteperi22:09:33

Re: CAs, I don't think they do nearly any human check for basic level certs

juhoteperi22:09:55

Probably something like automated check that contact name is the same as domain whois info or something

micha22:09:01

if you get an apple cert for ios they know who you are, i think

micha22:09:16

you need to have all kinds of info on record with them

micha22:09:35

but yeah, you'd need to keep track of the humans in some real way

juhoteperi22:09:50

Or hmm. CSR doesn't have any contact info, pretty much only CN

micha22:09:00

minimum a real mailing address, probably

juhoteperi22:09:36

Hmm.. yeah. Been some time since I last renewed a cert.

juhoteperi22:09:49

Email address is required, it is not included in the final cert I think.

juhoteperi22:09:28

I'm quite sure Let's encrypt is purely automated, no humans checks

juhoteperi22:09:44

The only check is that you have control of the domain you request cert for

micha22:09:01

and if you have the domain maybe that's enough to prove you own the group id

micha22:09:09

i guess no

micha22:09:15

that's not good at all

danielcompton22:09:19

Discussion in #clojars would be good