It ends up in believing and not assurance.

If user did not verify fingerprints, by some other
communication line, in reality nothing have been
really secured, we have got belief only, and not
assurance.

Servers can be compromised and they do get
ocassionally compromised.

Example is where full distribution have been compromised:
https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/

pacman or other package manager verifies that the
package have been signed by the referenced PGP
key.

For user, especially if user does not know
nothing, it really means nothing. Because there is
no true security there.

If you don't know which door in your house is
closed or open that does not mean your doors are
closed and you are safe, just because you don't
know it.

Server can be compromised and package databases
can be compromised.

PGP keys can be published without any connection
between the actual key controller and the email
address or PGP identity.

There are few fake PGP identities of RMS in PGP
servers for example.

It gives some feeling or assurance, it does not
give security.

It all ends up with the trust based on belief into
the domain and servers, and that the domain and
its servers where packages aor package databases
located are trusted.

But there is no assurance whatsoever to know if
the that domain was cracked, as we all do not have
any access to domain.

So believe into maintainers who maintain their
domains and servers that nothing was compromised.

Which means there is no security at all.

We base the downloads of free software on trust,
not on security.

All these facts shall be made known by each
distribution:

- that hashes help only to verify that expected
file arrived from server to local computer, and
says nothing about the genuity of the package or
that it is not compromised, and that it is valid
only when the original file would be signed by
PGP key and such PGP key fingerprints verified
between the user and the real key owner

- that PGP signatures cannot be assurance of any
security unless fingerprints have been verified
by independent communication line with the key
owner

For more info:
https://gnupg.org/faq/gnupg-faq.html#how_do_i_verify_signed_packages
Now when knowing this, what users do often is
following (not all users):

- in the first place does not know and does not
have easy access to the information WHO is the
maintainer of the package or controller of the
PGP key, information exists, but is not easy
accessible

- does not get copy of author's public
certificate, but rather relies on domain and
server or distribution itself, probably does not
even know the URL from where packages are
downloaded, and certainly does not import the
certificate into his own keyring, but let it to
pacman or package manager to handle it,

- does not use the trusted source, but simply
trusts everything, user is naive, and we shall
make it clear to them that no absolute security
exists that package was not compromised

- does not understand that something like
***@example.com can be faked by just
anybody and that everybody can make PGP key for
any email address in the world

- does not verify if the certificate is recent or
changed in comparison to prior code releases

- and does not know how to use GnuPG

And when package databases and such software is
held on mirrors, then even the worse opportunity
to get compromised software.

Conclusion is that all the efforts that package
maintainers are doing can be futile by one single
server compromise and changes to the package
databases.

Jean

I know.

Majority of users will not know.

In regards to number of signatories in the web of
trust, in matter of minutes it is posssible for
anybody to create PGP keys, such as

***@example.com

and sign that key with multiple other keys, and
upload the key which was verified by web of
trust. I can sign such key with multiple other
fake keys.

We are back at the fact that
It is not.

It is well known that security is only as strong
as its weakest link.

In this case, it is as secure as possibility to
enter some GNU/Linux server and compromise it. To
enter the server is very weak link.

I have been maintaining servers since decades. And
have launched multiple servers. Backdoors,
intruders, spammers, game players, all kinds of
people enter remote servers, and thousands of them
attempt to enter the servers worldwide.

How do we know that:

- maintainers don't have "friends" in their houses
who have access to their computers, they can
read passwords, they can implement backdoors,

- how do we know which password policies
maintainers use in general? Maybe their
passwords are too simple and can be cracked. I
don't believe each maintainer of distributions
is aware of security. We have recently seen Blag
distribution being removed for not being
updated. To me that is security issue.

- how do we know that maintainers truly know their
hosting system? That it is safe from other
people?

- how do we know the maintainers of distribution?

There are many more such questions.

To rely on hashes which are located on mirror
servers, like for example Digitalocean is doing
so, is simply no security at all. It is just
mechanism to make sure that file that was checked
before downloading is the same file downloaded.

It does not say anything about the genuity of the
file.

To rely on PGP signatures, which we did not check,
well that is by PGP standard incorrect, so if we
do so, that means there is no security at
all.

To rely on "web of trust" by standard requires me
to know those people in the web of trust, that is
why there is trust, if I know them, and who they
are, I can trust that key belongs to one person.

Just to see the list of numerous people who signed
a key is not "web of trust", it is just list of
numerous people who signed a key, nothing
else.

Instead:

In my opinion it would be good enough to trust to
the domain from where packages are taken, for
example:

- trusting Hyperbola.info domain for example, or
gnu.org

- all package databases to be downloaded from
there

- all PGP signatures, hashes to be downloaded from
there

- problem is with mirrors, so the above
information would be used to verify that
packages on mirrors are genuine by using hashes,
and by using GPG

- that the trusted domain keeps system of tracking
users, and a log, so prove to public that was
not compromised, or otherwise to show policies
on how the original domain is maintained and
controlled, policies for maintainers, who is
really accessesing and who is really responsible
for publishing of those packages

And then to implement such security system
centrally.

Security is only as strong as its weakest link.

Jean