Oddbean new post about | logout
 Using PGP for verifying software doesn't work and it is often counterproductive. Users don't understand what they are doing. They don't use PGP and they don't have a WoT so, what's the point.
The worst part is that those same users would demand a step-by-step instructions about how to verify the software. What are the alternatives?   
 I LIKED HOW YOU GUYS IMPLEMENTED BUILT IN VERIFICATION OF UPDATES IN WASABI.

MORE SOFTWARE SHOULD DO THAT. 

DOES NOT SOLVE THE ISSUE WITH FIRST INSTALL BUT STILL MITIGATES RISK GOING FORWARD.

LONG TERM NOSTR SIGNING + WOT COULD SOLVE THIS - @  @Zapstore LEADING THE WAY. 
 I appreciate that. Yes, Zap.store really looks amazing. In the meantime, I don't know what to do. It feels like a losing battle. 
 Craig raw added a good tool in sparrow for verifying software updates 
It works good. Especially for someone less technical 
 Maybe Blossom can help to provide clarity of a change-free download to less technical users 🌸 #tradeoffs 
 Distribution repositories. They are signed by PGP but the users don't need to touch it or even know about it. Just in case of external ones they need to install the key.

And even without WoT, TOFU is still more secure than no verification at all. 
 I'd argue the point of PGP is that advanced/paranoid users can verify the package was signed by the trusted developer. Most other signing options like those built into package managers or Windows MSI packages, rely on the central entity, Ex: Microsoft, Canonical, RedHat and so on. 

Fdroid does the same on android. Mozilla for Firefox, Google for Chrome and so on. Central authorities sign packages, NOT the developer. The trust is placed in the central authority not to tamper with the code, between the developer and the user. 

I believe you are being dishonest saying it's not useful. Its very useful for its intended purpose. Its widely used in commercial integration pipelines, that require authentic source from upstream developers. You can't do everything for the user, they have to learn and care about it. Otherwise you are deferring responsibility anyway, then you might as well set up a central trusted authority like an app store, I'd argue that's a more secure option for people that won't ever bother to learn code signing. 

PGP bridges the gap between trusting app stores for normies and those who care about the authenticity of code. Along with marginal friction for developers. 

Key distribution will always be difficult. We could sign package with secp256k1, I've even been tempted to do that as a concept myself, but we still haven't solved good key distribution.