> Unfortunately, if you've used Google Takeout or other systems that can both downsample your photos and videos, as well as actually deleting _or changing_ metadata, deduplicating becomes a big wad of heuristics.
I thought takeout exported the original files? (alongside metadata entered into the application)
FWIW: That project was started as an internal tool with a playful acronym and then went from obscure to well-known enough to making renaming a somewhat regrettable concept rather quickly just due to momentum. I think we'd have named it differently if we were aiming for widespread usage :-)
We had no reason to worry about making it popular, the effort was staffed to improve developing Kubernetes itself.
Ultimately the system will need to support signatures which represent not just "I made this" but "I reviewed this", and people will need to set policies for whose reviews they trust, and how many reviews they require for each component.
If reviewers can build up a reputation anonymously, that will make it harder to find the human who needs to be crowbarred, but I'm not sure how you prove you are a good reviewer in a way which isn't gameable.
Alternatively, the reviewers could be well known teams in multiple jurisdictions, such that an attacker would need to buy multiple crowbars and multiple plane tickets.
Those are interesting points / possible approaches, however is there any indication that this particular project enables any of that?
This seems focused on signing binaries / build artifacts.
IMHO it seems like if you have the threat model of "crowbared maintainer forced to insert backdoor" you probably don't trust sources let alone binaries and need to vet your dependency sources and then compile your own binaries from them.
Many open source dependencies will not have a jurisdictionally diverse review team, or any review team at all (single maintainer).
With reproducible builds, the difference between signing a binary and signing the source code from which it is built should be meaningless.
I agree that the threat model should include the threat of untrustworthy source code, because we want the countermeasures to work equally well against backdoors, "bugdoors", and genuine bugs.
I suspect for a lot of projects reproducible builds are themselves a bit of a hurdle and not being verified in the rarer case that they already exist, but the point of reproducible + signed builds as indirect source-signing stands.
You have to be in person for that attack, which is a much higher cost than taking over someone's account remotely from a different country. It's also a much higher risk of getting caught and going to jail.
Ok but the premise of physical harm in person comes from the parent comment, not mine:
"Most of those dependencies represents at least one human being who can be threatened with a crowbar and forced to ship an exploit, which can then infect vast numbers of production applications."
Those things don't have to be inherently slow and e.g. external IP don't need to block bring-up.
I've worked on KIND and on clusters on clouds (at Google, but on multiple clouds) and both can be very quick, if anything there's still low hanging fruit to make KIND faster that I'd expect a production service with more staffing to handle.
KIND is Kubernetes, typically on much weaker hardware :-)
Within a few minutes is a perfectly reasonable expectation even for "real"-er clusters, see e.g. under 4 minutes:
I thought takeout exported the original files? (alongside metadata entered into the application)