Professional Documents
Culture Documents
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Curated Web-of-Trust keyrings for free software
Gunnar Wolf projects: A case study on Debian’s experience
Introduction:
Trust models
Pushing this
study
LibrePlanet 2018; Cambridge, MA, USA; March 24-25 2018
forward. . .
Contenidos
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study 1 Introduction: Trust models
on Debian’s
experience
Gunnar Wolf
2 Trust aging
Introduction:
Trust models
Measuring
Key Signing
Parties
Pushing this
study
4 Pushing this study forward. . .
forward. . .
The Debian keyrings: a curated Web of Trust
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
(a) Whole "leaf" (b) Sorted by TLD
forward. . .
Figure: Webs of Trust can teach us quite a bit - Dissecting the Leaf
of Trust (Cederlöf 2008)
Work started after a big migration. . .
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience Played with giving the keyring to graphviz
Gunnar Wolf Might not be the best tool
Graph orientation and general shape is not stable
Introduction:
Trust models . . . But the results are interesting nonetheless!
Trust aging Keys are nodes, signatures are edges
Of course, it looks like a simple, useless blob. . .
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Just a simple, boring blob: Debian Developers,
2015.01.01
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Curated
Web-of-
Trust Thanks to having everything under Git (version control), we
keyrings for
free software have a handy window to the past. . .
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models What does this split mean?
Trust aging
Why did it appear?
Measuring
Key Signing
Parties
Where does it come from?
Pushing this How did it get there?
study
forward. . .
When did it appear?
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
(a) Jan 2009 (b) Jan 2010 (c) Jan 2011 (d) Jan 2012
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . . (e) Jan 2014 (f) Dec 2014 (g) Jan 2015
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study 1 Introduction: Trust models
on Debian’s
experience
Gunnar Wolf
2 Trust aging
Introduction:
Trust models
Measuring
Key Signing
Parties
Pushing this
study
4 Pushing this study forward. . .
forward. . .
Hypothesis: Keyring aging?
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
Leading to, and mostly during 2014, a huge portion of our
on Debian’s keyring was replaced
experience
One of the “blobs” marks older keys, the other new
Gunnar Wolf
replacements?
Introduction: But why the split began as early as 2011?
Trust models
Note that nodes are grouped by their cross-signatures not
Trust aging by the key age (hence a 1024D key could be in the
Measuring
Key Signing
“younger” group and be expired!)
Parties
Or it marks a generation of Debian Developers, slowly
reducing their involvement?
Pushing this
study
forward. . .
Lets add some color!
Curated
Web-of-
Trust
keyrings for
free software
Nodes are irrelevant (point), only edges are important
projects: A
case study Edges represent key signatures; color denotes signature age
WRT the point in time the snapshot was taken
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models Table: Color key for the resulting graphs
Trust aging
Blue Less than one year
Measuring
Key Signing Green 1 to 2 years
Parties
Yellow 2 to 3 years
Orange 3 to 4 years
Pushing this
study
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . .
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
on Debian’s
experience
Gunnar Wolf
(a) Jan 2009 (b) Jan 2010 (c) Jan 2011 (d) Jan 2012
Introduction:
Trust models
Trust aging
Measuring
Key Signing
Parties
Pushing this
study
forward. . . (e) Jan 2014 (f) Dec 2014 (g) Jan 2015
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study 1 Introduction: Trust models
on Debian’s
experience
Gunnar Wolf
2 Trust aging
Introduction:
Trust models
Measuring
Key Signing
Parties
Pushing this
study
4 Pushing this study forward. . .
forward. . .
What is a KSP?
Curated
Web-of-
Trust
keyrings for
free software
Curated
Web-of- Sometimes, you expect to
Trust
keyrings for exchange only a few
free software
projects: A signatures. . . Things stay
case study
on Debian’s
simple
experience
1 Exchange paper slips with
full fingerprints
Gunnar Wolf
Introduction:
2 Be reasonably sure of your
Trust models
Sometimes. . . It’s too many
peer’s identity
people!
Trust aging
Measuring
Key Signing
Parties
KSP has to be arranged in
Pushing this
advance!
study
forward. . . Verify integrity of a shared
document with all
fingerprints
Just tick boxes (carefully!)
Studying each big KSP as a keyring
Web-of-
Trust
Jérémy Lecour
Nicholas D Steeves
free software
drebs
Matthias Klumpp
case study
Eric Morino Clément Hermann Benoît SÉRIE Afif Elghraoui
Gregory Colpart
Antoine Beaupré
G. Branden Robinson Taowa Munene-Tardif
Simon McVittie
Apollon Oikonomopoulos
Siri Reiter
Jonathan McDowell
David Steele
Simon McVittie
Harlan Lieberman-Berg
Valerie R Young
Dominik Szmek NIIBE Yutaka Micah Anderson
Josue Ortega
Moray Allan
Gunnar Wolf
Tollef Fog Heen
Dominic Hargreaves
Markus Koschany Clint Adams Jerome Charaoui
Introduction:
Julián Moreno Patiño Noèl Köthe
Michael Banck
Faidon Liambotis Keith Packard
Bdale Garbee
Aurelien Jarno
Wouter Verhelst John Paul Adrian Glaubitz Stefano Zacchiroli
Trust models
Jonathan Carter
Sven Bartscher Michael Meskes Geoffrey Thomas
Tzafrir Cohen
Lev Lamberov
Moritz Mühlenhoff
Stefano Rivera
Roger Shimizu Lee Garrett
Didier Raboud James Cowgill Adam Majer
Philip Hands
Trust aging
Rémi Vanicat Piotr Ozarowski
Sascha Steinbiss
Faidon Liambotis
Cyril Brulebois SZALAY Attila
James Valleroy
Kartik Mistry
Gerhard A. Dittes
Parties
Stephan Sürken
Jens Reyer
Senthil Kumaran S
Denver Gingerich
Sebastien Delafond
Lucas Kanashiro Carsten Schoenert
Valessio Brito
study
Robert de Vos
Deven Bansod
Jonas Smedegaard
Ondřej Kobližek
400
Keys in KSP
Introduction: 60
Percentage
Trust models
300
Trust aging
40
Measuring
Key Signing 200
Parties
20
Pushing this 100
study
forward. . .
0 0
6 7 8 9 10 11 12 13 14 15 16 17
DebConf edition
Increase of internal signedness after KSPs
Curated
Web-of-
Trust
keyrings for DC6 DC8 DC10 DC12 DC14 DC16
free software DC7 DC9 DC11 DC13 DC15
projects: A 30
case study
on Debian’s
Average keys % signed by key
experience 25
Gunnar Wolf
20
Introduction:
Trust models
15
Trust aging
Measuring 10
Key Signing
Parties
5
Pushing this
study
forward. . . 0
0 5 10 15
Weeks after KSP
Contenidos
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study 1 Introduction: Trust models
on Debian’s
experience
Gunnar Wolf
2 Trust aging
Introduction:
Trust models
Measuring
Key Signing
Parties
Pushing this
study
4 Pushing this study forward. . .
forward. . .
What about your project?
Curated
Web-of-
Trust
keyrings for
free software
Applicability to other free software projects?
projects: A
case study
Correlate with events and trends spanning a wider
on Debian’s population
experience
Issue: Do we have a similar data source?
Gunnar Wolf
Particularly for GNU/FSF: Work starting to start a CWoT
Introduction:
Trust models Use from different data sources — After all, this is just
Trust aging social network graph analysis!
Measuring . . . But needs to record interpersonal relations
Key Signing
Parties
Point in time for actions
Pushing this
Should preserve history (in our case, being in Git)
study
forward. . . In the future, it can document issues related to the history
of your project. . .
Thanks!
Curated
Web-of-
Trust
keyrings for
free software
projects: A
case study
Thanks for your attention!
on Debian’s
experience
Gunnar Wolf
Measuring
Key Signing
Parties
Pushing this
Debian Project
study
forward. . .
Instituto de Investigaciones Económicas (UNAM)