Chan Secodina

@malwareminigun @hyc @coderanger Well, there's two parts to the JiaTan situation:
1) Attackers gained control of the project
2) Attackers (now project owners) published malware

I can't think of any way to mitigate (2), but I can think of some ways to make it slightly easier to defend against (1). I'm open to ideas though!

@hyc @coderanger @malwareminigun Thank you. I guess I think of a "relationship" layer as such an obvious thing to add on top of a plain web of trust that I sometimes conflate the two. I'll agree 100% that "just" a web of trust and nothing more isn't all that useful.

@coderanger @malwareminigun All we can *ever* hope to do is make the attacker's job harder. Right now we can tell people "Hey, you should vet new contributors to your projects" and they'd (correctly!) ask "How should I vet them?". I think a web of trust could be one part of "how you vet people".

In my mind we're talking about two "problems" right now:
1) As a group, we're still assuming good intentions of Internet strangers and that's no longer warranted
2) We don't have good tools for *easily* visualizing relationships, so it's annoying to try and vet newcomers to a project

A web of trust doesn't solve (1), but I think it could be a part of (2).

@malwareminigun @coderanger You can't expect to solve all social problems with technical tools. That said, if a group of accounts, all with zero external relationships in the web of trust, mounts an influence campaign to get one of their own members made into a project maintainer it's going to look fishy.

@coderanger I've been thinking for a while now that it might be worth taking another shot at the web-of-trust. Long term, I think it's the only way forwards, but I agree unless it's dead simple to use it'll be impossible to hit critical mass. I think there will need to be some compromises on the theoretical security (TOFU vs key signing parties? verifying social media handles vs verifying government IDs?). If we could share a <128 character code on Mastodon (or Matrix or IRC) that served the same purpose as a GPG pub key, I think it'd be a lot easier to get people started.

I guess what I'm saying is: I recognize that getting a web of trust going is a Herculean task and that it failed once before, but in the absense of other good options I think it's worth considering whether we should take another stab at it having learned our lessons from the past.