Requiring 2FA to Publish to Crates.io

Finn · 2018-07-21T09:13:38.672Z

Why not simply use the hash value of a crate. After reviewing that crate, the name+version and hash value is added to a whitelist. Such a system could be distributed, many people would reviewing crates independently and one could compute the intersection of whitelists. Or people could link to whitelists they trust, building a web of trust. Furthermore a factor could be stated, indicating how much someone trusts a certain crate or whitelist.

The pros is ultimate security. The cons is complications during development and debugging.

Soni · 2018-07-21T17:46:53.954Z

hmm. a blockchain with a block algorithm that only accepts crates.io-signed blocks and refuses to replace packages/versions would solve the MITM problem I think. without being power-hungry and without 51% attacks. altho it’s still hackable.

bascule · 2018-07-21T18:08:47.327Z

A simpler alternative to a blockchain is a transparency log like Certificate Transparency. Mozilla has done some work on applying this to the problem of binary transparency here:

https://wiki.mozilla.org/Security/Binary_Transparency

nyarly · 2018-07-21T20:49:26.512Z

I found this article unhelpful. While Stufft observes a number of real challenges in the space, at the root there’s a very common philosophy: “if it can’t be perfect, it’s not worth it.” They don’t present a solution, or argue that there isn’t a problem to solve.

Contemporary with this article was the beginning of TUF, which was being developed specifically to address the Python infrastructure - which is a bigger challenge, IMO, than Crates is. Since then, TUF has been adopted as the foundation of Docker Notary. It’s a solid approach that might be able to be applied wholesale.

bascule · 2018-07-21T21:23:22.864Z

nyarly:

While Stufft observes a number of real challenges in the space […] Contemporary with this article was the beginning of TUF

Yeah, he didn’t know about TUF at the time he wrote it, and later remarked that TUF addresses enough problems that it’s actually worth it:

twitter.com

Donald Stufft (dstufft)

@steveklabnik @stdlib It doesn’t solve every problem, but it solves enough of them that it’s actually worthwhile IMO

8:50 AM - 15 Feb 2016 1

felix91gr · 2018-07-22T06:46:43.135Z

Oh wow. Now that I’ve studied TUF a little bit, I think it’s amazing. Thanks for bringing it up, I’ve learned something really cool ^^

Coming back to the conversation: I think TUF might be a really good option. It assumes there will be compromise of keys, and works to mitigate whatever impact that could have. That’s really awesome.

If anyone wants to check TUF out, I’d recommend this video, which helped me a lot to really get the system.

bascule · 2018-07-22T13:58:48.390Z

felix91gr:

Oh wow. Now that I’ve studied TUF a little bit, I think it’s amazing. Thanks for bringing it up, I’ve learned something really cool ^^

In case you missed it, there’s an open proposal to add TUF to crates.io here:

github.com/rust-lang/crates.io

Issue: Security model / TUF

opened by tarcieri on 2014-11-24

The fun thing about packaging systems with central package directories is the central package directories have this annoying tendency to be...

C-feature-request infrastructure

I’ve also been discussing a “minimum viable TUF” here:

github.com/rust-lang/rfcs

New RFC: signing registry index commits

by withoutboats on 07:52AM - 14 Jun 18

1 commits changed 1 files with 358 additions and 0 deletions.

Soni · 2018-07-22T15:17:35.153Z

can’t you just MITM that? what stops someone from MITMing that?

bascule · 2018-07-22T16:08:49.619Z

Soni:

can’t you just MITM that? what stops someone from MITMing that?

What stops someone from MitMing a CT log? CT logs are designed to be cryptographically verifiable (indeed the main use case is verifying X.509 certificates prior to opening TLS connections).

It carries a digital signature (i.e. a Signed Tree Head, or STH). To verify something is included in the log you need an inclusion proof (i.e. fragment of a Merkle tree) which is ultimately rooted in an STH. If there isn’t an inclusion proof for a particular binary, it isn’t trusted.

You can read more here:

certificate-transparency.org

How Log Proofs Work - Certificate Transparency

This site describes the Certificate Transparency effort being spearheaded by Ben Laurie, Adam Langley and Stephen McHenry. The effort is designed to significantly increase the security of the Public Key Infrastructure used by web sites and services.

Soni · 2018-07-22T18:58:15.922Z

okay, so it’s basically equivalent but with single points of failure.

system · 2019-03-25T08:30:30.152Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.