Todays thoughts: Do you trust that python package? Pick your evidence: - crypto...
Todays thoughts: Do you trust that python package? Pick your evidence:
- crypto proof that *some* github account signed a file
- crypto proof that pypi.org transmitted the file to you
OR
10 years of published files.
Maintainer talks at conferences and youtube channel
500 answered issues
100 contributors
i.e. *expensive* signalling
Why is the gap between how we *think* trust is created and how trust *actually* created so large?
Self-replies
Alice and Bob are both North Korean state hackers. Of course they sign their files. They are the ONLY people that sign their files and that makes them suspicious.
Crypto stuff seems more useful for when there is a trust system already in place, e.g. did the trustworthy signer of pipenv v1 sign pipenv v2? I don't know or trust either of these people, but they probably were the same person and get the same trust I give the v1 library
If you publish a new package on pypi, because of the way it doesn't care about social trust new people can't earn trust. This favors whoever happened to earn trust first.
What is the fix? Well, let people prove that a package was published by a person who controls a particular linked in account, Mastodon account, etc.
Right now, all I can get is
- proof someone controls an email address (so rare, so difficult, so trustworthy!)
- still have control of a github account (same!)
- **self asserted** social media identities and like I say on my pypi page, I AM SANTA CLAUS