Scribd Logo
Upload

Welcome to Scribd!

  • Libreplanet

    Uploaded by

    Henry Jekyll
    7 views24 pages

    Original Title

    libreplanet

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views24 pages

    Libreplanet

    Uploaded by

    Henry Jekyll

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Curated

    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience
    Curated Web-of-Trust keyrings for free software
    Gunnar Wolf projects: A case study on Debian’s experience
    Introduction:
    Trust models

    Trust aging Gunnar Wolf


    Measuring
    Key Signing
    Parties

    Pushing this
    study
    LibrePlanet 2018; Cambridge, MA, USA; March 24-25 2018
    forward. . .
    Contenidos

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study 1 Introduction: Trust models
    on Debian’s
    experience

    Gunnar Wolf
    2 Trust aging
    Introduction:
    Trust models

    3 Measuring Key Signing Parties


    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    4 Pushing this study forward. . .
    forward. . .
    The Debian keyrings: a curated Web of Trust

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .

    Figure: Graphical representation of the strong set of the Debian


    keyring back in 2000
    Social studies from transitive trust graphs — And
    Debian’s relative weight
    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    (a) Whole "leaf" (b) Sorted by TLD
    forward. . .

    Figure: Webs of Trust can teach us quite a bit - Dissecting the Leaf
    of Trust (Cederlöf 2008)
    Work started after a big migration. . .

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .

    Figure: Breakdown of the Debian keyrings by key length, showing the


    migration away from short keys (<2048 bits)
    Out of curiosity, the shape of the keyring

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience Played with giving the keyring to graphviz
    Gunnar Wolf Might not be the best tool
    Graph orientation and general shape is not stable
    Introduction:
    Trust models . . . But the results are interesting nonetheless!
    Trust aging Keys are nodes, signatures are edges
    Of course, it looks like a simple, useless blob. . .
    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .
    Just a simple, boring blob: Debian Developers,
    2015.01.01
    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .

    Figure: Our WoT — A maze of twisty passages, all alike


    A fun blob: Debian Developers, January 2014

    Curated
    Web-of-
    Trust Thanks to having everything under Git (version control), we
    keyrings for
    free software have a handy window to the past. . .
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models What does this split mean?
    Trust aging
    Why did it appear?
    Measuring
    Key Signing
    Parties
    Where does it come from?
    Pushing this How did it get there?
    study
    forward. . .
    When did it appear?

    Figure: It’s ALIVE!!!


    Evolution of the keyring

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf
    (a) Jan 2009 (b) Jan 2010 (c) Jan 2011 (d) Jan 2012
    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . . (e) Jan 2014 (f) Dec 2014 (g) Jan 2015

    Figure: Snapshots of the Debian keyring evolution at different points


    in time
    Contenidos

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study 1 Introduction: Trust models
    on Debian’s
    experience

    Gunnar Wolf
    2 Trust aging
    Introduction:
    Trust models

    3 Measuring Key Signing Parties


    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    4 Pushing this study forward. . .
    forward. . .
    Hypothesis: Keyring aging?

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    Leading to, and mostly during 2014, a huge portion of our
    on Debian’s keyring was replaced
    experience
    One of the “blobs” marks older keys, the other new
    Gunnar Wolf
    replacements?
    Introduction: But why the split began as early as 2011?
    Trust models
    Note that nodes are grouped by their cross-signatures not
    Trust aging by the key age (hence a 1024D key could be in the
    Measuring
    Key Signing
    “younger” group and be expired!)
    Parties
    Or it marks a generation of Debian Developers, slowly
    reducing their involvement?
    Pushing this
    study
    forward. . .
    Lets add some color!

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    Nodes are irrelevant (point), only edges are important
    projects: A
    case study Edges represent key signatures; color denotes signature age
    WRT the point in time the snapshot was taken
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models Table: Color key for the resulting graphs
    Trust aging
    Blue Less than one year
    Measuring
    Key Signing Green 1 to 2 years
    Parties
    Yellow 2 to 3 years
    Orange 3 to 4 years
    Pushing this
    study

    Red over 4 years old


    forward. . .
    Same old keyrings: 2014.01.12

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .

    Figure: Big, red, disconnected blob


    Same old keyrings: 2015.01.01

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf

    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . .

    Figure: Still some areas dominated by color, but much better


    distributed
    Same ten-keyring snapshot

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    on Debian’s
    experience

    Gunnar Wolf
    (a) Jan 2009 (b) Jan 2010 (c) Jan 2011 (d) Jan 2012
    Introduction:
    Trust models

    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    forward. . . (e) Jan 2014 (f) Dec 2014 (g) Jan 2015

    Figure: Snapshots of the Debian keyring evolution at different points


    in time, showing signature age. Signature coloring is relative to each
    of the snapshots.
    Contenidos

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study 1 Introduction: Trust models
    on Debian’s
    experience

    Gunnar Wolf
    2 Trust aging
    Introduction:
    Trust models

    3 Measuring Key Signing Parties


    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    4 Pushing this study forward. . .
    forward. . .
    What is a KSP?

    Curated
    Web-of-
    Trust
    keyrings for
    free software

    At developer gatherings, such as DebConf


    projects: A
    case study
    on Debian’s
    experience But also at other Free Software conferences — Hint, hint!
    Gunnar Wolf Each participant of the KSP verifies identity of the others,
    prepares for later signing and mailing the key certification
    Introduction:
    Trust models Good practice! Use caff (in Debian’s signing-party
    Trust aging package)
    Measuring
    Key Signing
    As a result, the overall strength of the WoT grows
    Parties Linking geographically-distant people, or people from
    Pushing this different backgrounds. . .
    study
    forward. . .
    Small-scale vs. Large-scale KSPs

    Curated
    Web-of- Sometimes, you expect to
    Trust
    keyrings for exchange only a few
    free software
    projects: A signatures. . . Things stay
    case study
    on Debian’s
    simple
    experience
    1 Exchange paper slips with
    full fingerprints
    Gunnar Wolf

    Introduction:
    2 Be reasonably sure of your
    Trust models
    Sometimes. . . It’s too many
    peer’s identity
    people!
    Trust aging

    Measuring
    Key Signing
    Parties
    KSP has to be arranged in
    Pushing this
    advance!
    study
    forward. . . Verify integrity of a shared
    document with all
    fingerprints
    Just tick boxes (carefully!)
    Studying each big KSP as a keyring

    Curated Abdelhakim Qbaich

    Web-of-
    Trust
    Jérémy Lecour

    Nicholas D Steeves

    keyrings for Taowa

    free software
    drebs

    Matthias Klumpp

    projects: A David Goulet


    Alba Crespi Boixader
    William Blough

    case study
    Eric Morino Clément Hermann Benoît SÉRIE Afif Elghraoui

    Gregory Colpart

    on Debian’s ChangZhuo Chen Joel W Shea

    Antoine Beaupré
    G. Branden Robinson Taowa Munene-Tardif

    Simon McVittie

    experience Eugene Zhukov


    Jean Schurger

    Apollon Oikonomopoulos
    Siri Reiter
    Jonathan McDowell

    David Steele
    Simon McVittie
    Harlan Lieberman-Berg
    Valerie R Young
    Dominik Szmek NIIBE Yutaka Micah Anderson
    Josue Ortega
    Moray Allan

    Gunnar Wolf
    Tollef Fog Heen
    Dominic Hargreaves
    Markus Koschany Clint Adams Jerome Charaoui

    Eric Dorland Sean Whitton


    Russ Allbery Aigars Mahinovs Michael Jeanson

    Yao Wei Ying-Chun Liu


    Daniel Lange
    Hideki Yamane
    Milan Kupcevic
    Milan Kupcevic
    Lucas Nussbaum

    Tom Marble Jonathan McDowell Chris Boot


    Jimmy Kaplowitz Guido Günther

    Introduction:
    Julián Moreno Patiño Noèl Köthe
    Michael Banck
    Faidon Liambotis Keith Packard

    Bdale Garbee

    Aurelien Jarno
    Wouter Verhelst John Paul Adrian Glaubitz Stefano Zacchiroli

    Trust models
    Jonathan Carter
    Sven Bartscher Michael Meskes Geoffrey Thomas
    Tzafrir Cohen
    Lev Lamberov

    Chris Lamb Martin F. Krafft Don Armstrong


    Lior Kaplan Luca Filipozzi
    Nicolas Dandrimont
    Kurt Roeckx

    Moritz Mühlenhoff
    Stefano Rivera
    Roger Shimizu Lee Garrett
    Didier Raboud James Cowgill Adam Majer
    Philip Hands

    Trust aging
    Rémi Vanicat Piotr Ozarowski
    Sascha Steinbiss

    Tobias Frost Jonas Smedegaard


    Gunnar Eyal Wolf Iszaevich
    Roger Shimizu
    Rhonda D'Vine Enrico Zini Michal Čihař Julien Cristau
    Laszlo Boszormenyi Romain Dessort
    Steven Chamberlain
    Rhonda
    Andrei Shadura
    David Prévot
    Christoph Biedl gregor herrmann
    Aaron M. Ucko
    Moritz Muehlenhoff

    Measuring Paul Gevers Antonio Terceiro


    Thomas Lange

    Faidon Liambotis
    Cyril Brulebois SZALAY Attila
    James Valleroy

    Key Signing Maria Glukhova


    Kyle Robbertze
    Andreas Bombe

    Julian Andres Klode


    Stéphane Blondon

    Stefan Fritsch Kåre Thor Olsen jathan


    tony mancill
    David Bremner

    Kartik Mistry
    Gerhard A. Dittes

    Parties
    Stephan Sürken

    Jens Reyer
    Senthil Kumaran S
    Denver Gingerich
    Sebastien Delafond
    Lucas Kanashiro Carsten Schoenert

    Guilhem Moulin Stephen Paul Weber


    Ferenc Wágner
    Andreas Boll
    Mike Gabriel
    Hermann Lauer Mathieu Trudel-Lapierre

    Pushing this Andrew Shadura

    Ondřej Nový Simon Kainz


    Hubert Chathi

    Valessio Brito

    study
    Robert de Vos

    Deven Bansod
    Jonas Smedegaard

    forward. . . Hugo Lefeuvre

    Ondřej Kobližek

    151 keys, 1638 signatures (including self)

    Figure: Keyring for the DebConf17 KSP


    DebConf KSPs by numbers — And some observed
    issues?
    Curated
    Web-of-
    Trust
    Total attendees KSP participants (%)
    keyrings for Non-DD participants in KSP DDs in KSP (%)
    free software DD participants in KSP
    projects: A
    100
    case study 600
    on Debian’s
    experience
    500 80
    Gunnar Wolf

    400
    Keys in KSP

    Introduction: 60

    Percentage
    Trust models
    300
    Trust aging
    40
    Measuring
    Key Signing 200
    Parties
    20
    Pushing this 100
    study
    forward. . .
    0 0
    6 7 8 9 10 11 12 13 14 15 16 17
    DebConf edition
    Increase of internal signedness after KSPs

    Curated
    Web-of-
    Trust
    keyrings for DC6 DC8 DC10 DC12 DC14 DC16
    free software DC7 DC9 DC11 DC13 DC15
    projects: A 30
    case study
    on Debian’s
    Average keys % signed by key

    experience 25

    Gunnar Wolf
    20
    Introduction:
    Trust models
    15
    Trust aging

    Measuring 10
    Key Signing
    Parties
    5
    Pushing this
    study
    forward. . . 0
    0 5 10 15
    Weeks after KSP
    Contenidos

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study 1 Introduction: Trust models
    on Debian’s
    experience

    Gunnar Wolf
    2 Trust aging
    Introduction:
    Trust models

    3 Measuring Key Signing Parties


    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    study
    4 Pushing this study forward. . .
    forward. . .
    What about your project?

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    Applicability to other free software projects?
    projects: A
    case study
    Correlate with events and trends spanning a wider
    on Debian’s population
    experience
    Issue: Do we have a similar data source?
    Gunnar Wolf
    Particularly for GNU/FSF: Work starting to start a CWoT
    Introduction:
    Trust models Use from different data sources — After all, this is just
    Trust aging social network graph analysis!
    Measuring . . . But needs to record interpersonal relations
    Key Signing
    Parties
    Point in time for actions
    Pushing this
    Should preserve history (in our case, being in Git)
    study
    forward. . . In the future, it can document issues related to the history
    of your project. . .
    Thanks!

    Curated
    Web-of-
    Trust
    keyrings for
    free software
    projects: A
    case study
    Thanks for your attention!
    on Debian’s
    experience

    Gunnar Wolf

    Gunnar Wolf • gwolf@debian.org


    Introduction:
    Trust models AB41 C1C6 8AFD 668C A045 EBF8 673A 03E4 C1DB 921F
    Trust aging

    Measuring
    Key Signing
    Parties

    Pushing this
    Debian Project
    study
    forward. . .
    Instituto de Investigaciones Económicas (UNAM)

    You might also like