Open brianddk opened 2 years ago
ecdsa
commented
2 years ago I don't see why anyone would submit our software there with good intentions. I also do not know what are the rules with that repo, and how we would "take over". For the time being, please consider those packages as malware.
EDIT: I just checked, their installer links to our download.electrum.org Still, I feel that this could be easily abused.
brianddk
commented
2 years ago @ecdsa Agreed.
There is discussion on the winget repo on how to do this, but I think for the most part it's just a few moderators who give it a "sniff test". Ideally, submissions would be GPG signed with the same GPG signature as the GitHub release referenced. For other Authenticode signatures, signing a CAT with a proof of ownership message.
Obviously there are lots of good ways to do it, but as you say, they are currently doing none. They have outlined a process for developers to take ownership of a folder in the project, but it still would be open to users defining scam products like "Electron" or "Electrin" with gullible users being none the wiser.
Folder ownership seems to be discussed here:
https://github.com/microsoft/winget-pkgs/discussions/15607#discussioncomment-812823
brianddk
commented
2 years ago @ItzLevvie Thx for the detailed reply. I'll speak to some of the replies to my post, but leave the broader questions to the electrum repo maintainers
In regards to the discussion of GPG and Authenticode, I fully agree that adoption and entry cost are barriers. What I tried to outline in my proposal was a moderation policy that use a cryptographic test as a moderation measure. I'm sure the Microsoft moderators are competent and well intending, but it still a single person who may not truly know what the "official site" is. A simple example is bitcoin.com -vs- bitcoin.org. Both claim to be "official" and both sites are legitimate in their own right, but which site does the moderator use when evaluating a deliverable called "Bitcoin"?
Cryptographic testing, if only between submitter and moderator would solve this problem, IMHO. If the submitter has the passes a non-trivial proof-of-keys test on the PGP key used on the last Github release tag to the referenced repository, then it is safe to say that developer holds some authority.
As I mentioned in the discussion thread on the winget repo (linked earlier), these are all problems that have confronted Certificate Authorities for over a decade. Borrowing on some of their policies of moderation would likely be appropriate. In most cases, I've seed CA's require some form of cryptographic proof, or at a minimum, modification of a file on the applied domain.
I think we are just looking for something stronger than the build test and validity. The docs you linked were a good start, especially the sections on financial packages, but still fall short of any cryptographic proof test that the PR submitter is actually the software author, or a member of the sofware repository maintainers.
Electrum is showing up in the winget package repo. It's great to see the packages there, but you might want to take over the PR submission for your ORG. The packages there seem legit, but technically, anyone could contribute any package there and call it "Electrum". Your dev team may want to take over these submissions, or request you appear on the PR approval list for your ORG.