Dev/project-news

From Kicksecure
< Dev
Jump to navigation Jump to search

This is a draft for a new package called "project-news" which would allow projects to reliably communicate important news to users, including security issues and deprecation notices. The package would be plugin-based and available on desktops, and users could subscribe to different news channels and configure the messages they want to receive.

why[edit]

Examples when project news would have been and will be useful.

  • Projects don't have a reliable way to communicate with users. Reliable meaning, that 99,9% of users have a chance to actually read important news such as deprecation notices and action needed in case of security issues.
    • Only a fraction of users checks news blogs first let alone rss subscribes to blogs.
    • Only a fraction of users signs up to mailing lists.
    • History has shown, that Stay Tuned is mostly ignored.
  • apt bugs
  • apt signing key revocation

project news[edit]

  • plugin / settings based
  • on your desktop
  • cli users: local mail

apt-listchanges[edit]

Why not use apt-listchanges instead?

  • Too technical.
  • Lists changelogs, not news.
  • Does not work in case of apt issues.

subscription channels[edit]

  • emergency news only
  • calls for testing
  • all project news
  • ...?

buttons[edit]

  • remind me
  • do not show this again

https://forums.whonix.org/t/do-not-show-this-message-again-generic-one-time-popup/8066archive.org

read and process this[edit]

https://forums.whonix.org/t/apt-get-upgrading-security-issue-cve-2016-1252/3288/17archive.org

read and process this also[edit]

https://forums.whonix.org/t/whonix-upgrade-notification/3284archive.org

message expiration[edit]

(some) messages (configurable) should only be valid for a certain time

The Update Framework[edit]

https://theupdateframework.io/archive.org

emergency news signing key security[edit]

The emergency notification messages should be signed with a different key than the one for repo package signing old and new.

multi sig[edit]

Should use multi sig (key splitting).

The Debian apt signing key is on an official debian.org server. The revocation key is on Debian Developer's (DD) machines. (Not necessarily offline machines.)

They would need at least a 7/12 signature to create the Debian apt signing key revocation certificate.

Source: https://web.archive.org/web/20221013100419/https://ftp-master.debian.org/keys.htmlarchive.org

So by using multi sig and not keeping the the emergency news signing key only on DD's machines, it would be safer than Debian's apt signing key.

/etc/emergency-news.d[edit]

The code for downloading the emergency news should be configurable.

Download the emergency news files from:

  • version 1 - download from clearnet web servers
  • version 2 - optionally download from onion web servers
  • version 3 - optionally download from freenet / or something that implements a permanent takedown attack defense

distribution plugins[edit]

  • Debian, Qubes, Ubuntu, Kicksecure

application plugins[edit]

Should application packages be allowed to use this mechanism also?

Distributions should be able to disable applications pushing news.

annoyance[edit]

Should prevent against fear of annoying spam messages on their desktops.

speak generally[edit]

Do not speak specifically about DDs since derivative distributions would handle this similarly by adding their distribution specific configuration file drop-in.

test cases[edit]

  • multiple notifications at once

message format[edit]

Text only? Clickable hyperlinks? Html, oh well? Security?

project name[edit]

project-news is the proposed package name and project name. It is not fixed. We can still discuss this at Kicksecure and should leave this open during publication of this concept.

Proposal[edit]

TODO:

  • Take any of the above bullet points one by one and convert those into a good wording that can be posted on the debian-devel mailing list.

alternative package managers[edit]

Sponsors[edit]

  • Should ask core infrastructure initiative once the concept is ready.

Transports[edit]

IPFS has experimental Tor support. Leaks? No big deal if yes since we use a leak proof design.

https://dweb-primer.ipfs.io/avenues-for-access/tor-transportarchive.org

"As for preserving content, it is an explicit choice to be made by nodes and this is done by "pinning" the files otherwise new content will replace the old over time. The choice of what to keep is explicit (Freenet is exceptional in that it makes sure no one can censor the or choose the content they host) and so in theory we can pre-configure every Kicksecure user as an IPFS node over Tor, but leave the choice to participate as opt-in in case they are in a part of the world with slow connections or a metered/limited connection. First it can be used to host critical announcements/news and later perhaps to share the code itself if a decapitation attack is in progress."

https://medium.com/pinata/what-is-an-ipfs-pinning-service-f6ed4cd7e475archive.org

https://docs.ipfs.io/how-to/work-with-pinning-services/archive.org

https://dweb-primer.ipfs.io/files-on-ipfs/pin-filesarchive.org


I2P + Tahoe-LAFS - no public storage grid?


Freenet -> requires UDP


ZeroNet -> dependency issues


Users could choose their daemons to be permanently running or as intermittent connections that make brief connections every X days for a minute or 2 to check for new news files.

"Would you like to keep your node always running to help make the project files resistant to censorship take-down?"

Related[edit]


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!