Cryptography/security is a trust business. Without some kind of personal (or even project) history, I know nothing about you or the project. And if I can’t verify you, I can’t trust you. The rest doesn’t matter much to me.
But maybe that’s just me.
Cryptography/security is a trust business. Without some kind of personal (or even project) history, I know nothing about you or the project. And if I can’t verify you, I can’t trust you. The rest doesn’t matter much to me.
But maybe that’s just me.
I get it. An 'anonymous' author is a deal breaker for some. I respect that.
The repo is public. The releases are signed. The attestations are published. Nothing hidden.
If that’s not enough — totally fair and I am sure many others would agree. Appreciate your point of view and taking time to give feedback.
Would you please elaborate on how "the releases are signed" helps establish trust in the context of your anonymous developer account?
It means the releases are cryptographically signed using GitHub OIDC, with SLSA v1 provenance and entries in the Rekor transparency log.
That means:You can verify every artifact against its source code i.e I have not tampered with the code post deployment. for example part of the build is a dry-run on the worker build, this is stored as part of the build so you can see / confirm the exact code that was uploaded and this code is signed.
What people mean with "trust" here is whether they trust there are no subtle security issues. While I think "don't roll your crypto" has been somewhat overstated at times (someone has to write crypto), there is certainly some truth in that you need to be very careful writing this code and that mistakes are incredibly easy to make, even for competent developers.
If I were to release something like this then people can see that 1) this is a guy with >20 years of various contributions to open source and he seems like a basically competent guy we can trust (as much as you can ever trust a single person), but also that 2) he's not a crypto guy and there may very well be oversights. Maybe there are none, but you know...
If someone like, say, Filippo Valsorda would release someone like this, then people could see that 1) is basically the same as me, and 2) he's also a well known crypto guy with a good track record. This is not a guarantee there are no oversights, but I would certainly be surprised if there were major ones. I would certainly trust that more than anything I would write.
The whole signing stuff is kind of a red herring IMO. I mean, it's not bad to have I guess, but honestly I don't really care. If anything, focusing to strongly on "box ticking security" so early on seems like the wrong thing to focus on.
Thanks for your feedback 'I tried to use of the shelf stuff for the crypto and utilised what I believe to be battle tested.
CLI uses node.js built-in crypto module only -randomBytes - createDecipheriv - createCipheriv.
Web app uses Web Crypto API only.
I'll send Filippo a Postcard and see if he will review it :-P
Is this a bit?