> As I’ve said in other comments: “can” translates to “won’t” in cryptographic contexts. Gossip does not matter if it doesn’t have controls behind it.
Yes, so you... code the client to check for the presence of multiple signatures (in the F-Droid case where the F-Droid service knows about the original author signature) or ship the URLs for two of the independent actors in the default configuration (in the GNU Guix case)? This does not seem like a hard problem.
> Could you provide an example scenario?
Whatever person or company runs the box that builds Homebrew packages tampers with that box.
Maybe Microsoft gets a National Security Letter, or has a tenant isolation bug. Or I dunno, the last time I seriously worked with Homebrew they were running Jenkins on a Mac Mini in some random colo facility, and the maintainers definitely had root on that thing.
> code the client to check for the presence of multiple signatures (in the F-Droid case where the F-Droid service knows about the original author signature)
This trusts the client for both parties, while also treating the client as a potentially malicious party. This puts you back at 1-of-N.
> or ship the URLs for two of the independent actors in the default configuration (in the GNU Guix case)
This gets very unreliable, very fast: independent verifiers go down, stop verifying, &c. Even extremely well capitalized companies struggle to run reliable timestamping and similar services; I don’t think it would be responsible to tie Homebrew’s availability to the accessibility of a small handful of external, bespoke hosted services.
This is all to say: checking multiple points of trust without implicitly collapsing them into a single point of trust is, in fact, a pretty hard problem. Especially when you throw external unreliabilities into the mix.
To the best of my knowledge, all Homebrew bottles are currently built on GitHub Actions; there hasn’t been a Jenkins box in a while. The entire point of this work is to bootstrap signatures on the latent identities that GitHub Actions provides, since doing so avoids nearly all of the normal logistical issues that pop up when doing codesigning.
> This trusts the client for both parties, while also treating the client as a potentially malicious party. This puts you back at 1-of-N.
Is this just the "well how do you get a trustworthy copy of the software you rely on to tell you whether copies of software are trustworthy" question? Since obviously once you have that software, it can download as many different signatures as it wants from the F-Droid service and validate them locally without needing to trust the F-Droid service; that is the point of digital signatures.
That seems like it'd be an issue for your thing as well, since the two available ways to install Homebrew itself are curl|bash and downloading/running an installer from a GitHub Releases page. Then again, if the security model here revolves around axiomatically trusting Microsoft (and also believing Microsoft is the only entity in the world capable of running CI/CD infrastructure), I guess that's not an issue.
Yes, so you... code the client to check for the presence of multiple signatures (in the F-Droid case where the F-Droid service knows about the original author signature) or ship the URLs for two of the independent actors in the default configuration (in the GNU Guix case)? This does not seem like a hard problem.
> Could you provide an example scenario?
Whatever person or company runs the box that builds Homebrew packages tampers with that box.
Maybe Microsoft gets a National Security Letter, or has a tenant isolation bug. Or I dunno, the last time I seriously worked with Homebrew they were running Jenkins on a Mac Mini in some random colo facility, and the maintainers definitely had root on that thing.