Re: Tor exit nodes

[Roberto C. Sánchez <roberto@debian.org>]

On Mon, Oct 09, 2017 at 10:56:58PM +0200, Adam Borowski wrote:
> 
> We have ~1000[1] DDs from various backgrounds and allegiances.  For most
> governments you'll find a DD ready to sign something nasty because of
> "patriotism" or other personal convinction, with full free will, without
> even an incentive, much less being forced.
> 
Debian as a project is susceptible to this because while we have a
strong notion of identity (e.g., the key signing requirement) we have a
weak notion of trust.  Once someone meets the identity requirement and
passes some basic competency checks, he or she is given "all access."
The ad hoc structure of most Debian teams and various other Debian
functions is designed to make it easy for any random DD to contribute
without going through additional gates.  There are some notable
exceptions (e.g., system administration team, FTP master, release
manager, etc.), but most things in Debian are rather open.

If conflicted allegiance of individual DDs is a concern then it would be
worth discussing some sort of multi-party/multi-key requirement for
certain things.  For example, security uploads may require additional
sponsorship by another DD from another country.  Of course, that would
require a clear definition of compatible matches.  To protect against
nation-state influece of the form you describe, I would put more trust
in something signed off by a pair of DDs from USA and Russia/China than
I would something signed off by a pair of DDs from USA and UK or Russia
and China.

Then of course there is the problem of determining someone's allegiance.
We have DDs born in one country that live and work in another and
perhaps hold citizenship of yet a third.  Would they be considered
"invalid" in matters concerning their country of birth, their country of
citizenship, country of residence, or some combination thereof?  Also,
would a DD who works for or has previously worked for a national
government be considered differently than one who has not?

Even given Debian's relatively weak trust model, I think that a
nation-state would likely seek to "enter" through an upstream project.
There are loads of upstream projects that would be wide open to that
sort of exploitation and it would be far easier to gain access through
upstream code than it would through some "security" update to Debian.
Some upstream projects have huge code bases and I would be surprised if
a meaningful number of them are being carefully audited, or even
curorily reviewed, as their new versions enter Debian.

> 
> Thus: the gpg model has way too many holes to risk your life for it.
> 
I agree.

> 
> [1]. Although Mattia Rizzolo has an evil scheme to destroy Debian by
> bringing that number to 0. :þ
> 
If we stop at 1 instead of 0 does Debian then become the singularity?
That might be a good way to take over the universe.

Regards,

-Roberto

-- 
Roberto C. Sánchez