Who do you trust (… and how do you trust the new Linux Distribution StageX?) Do you trust your best friend from childhood? Do you trust your chosen Distribution for your Homelab? For your Workplace?
Psychology says there are roughly two types of trust. Direct and Transitive trust.
Direct trust is you trusting your best friend. Transitive trust is your best friend assuring you another person is also trustworthy and you listening to their word because you trust them.
So lets take a dive into Web of Trust or how this is represented in the digital world.
With PGP you can sign someones key. Which essentially says that you verified someone is who the key claims to be. Let’s introduce Alice and Bob. You know Alice as she is your best friend but you dont know Bob. Alice knows Bob and signed his key. Now Bob presents you some work but you dont know how to verify he is who he claims to be. Your next step is to look at the signatures where you see Alice’s key. You transitively trust Bob because you trust Alice.
I am working on a project called StageX, which is a Linux distribution designed to eliminate single points of failure. Every addition to this Distribution has to be PGP signed. With a list of all commits and the keys that were used for signing one could go on and recursively fetch all keys from Keyservers that signed the keys aswell.
Which is exaxtly what Lance R. Vick did that resulted in this Dataset of 5458 Keys.
Analyzing the Dataset
Obviously my next step was to analyze this dataset.
I wrote a Python Script which outputs a .gexf XML-File which then can be viewed with open source tooling such as Gephi Lite.
If you want to use the Graph yourself and import it into Gephi, you will not see the same output as me but rather a compressed square.
To get this into the pretty Graph you see above you will have to use the ForceAtlas2 Layout. I used “Strong Gravity Mode”, 10 for Slow Down, 50 for Scaling Ratio and barnesHutOptimize (which is the difference from $O(n^2)$ to $O(nlog(n)$).
So let’s talk Numbers and Statistics.
The resulting file contains 39.998 Edges interconnecting the 5458 Nodes. This is a perfect example of a very interconnected Web of Trust.
The top 30 Domains in this set are
| Count | Domain |
|---|---|
| 1655 | gmail.com |
| 464 | debian.org |
| 301 | suse.com |
| 243 | mobexpert.ro |
| 158 | suse.de |
| 126 | canonical.com |
| 123 | redhat.com |
| 114 | riseup.net |
| 111 | kernel.org |
| 97 | protonmail.com |
| 88 | ubuntu.com |
| 84 | outlook.com |
| 71 | apache.org |
| 65 | keybase.io |
| 64 | crans.org |
| 59 | vt.edu |
| 59 | mailbox.org |
| 55 | hotmail.com |
| 53 | gentoo.org |
| 51 | web.de |
| 49 | gmx.de |
| 45 | fsfe.org |
| 44 | googlemail.com |
| 40 | disroot.org |
| 40 | fedoraproject.org |
| 36 | yahoo.com |
| 36 | posteo.de |
| 34 | suse.cz |
| 34 | informatik.uni-hamburg.de |
| 33 | intevation.de |
If you are asking yourself who mobexpert.ro is. You asked yourself the same question as I did. Which also answers the question what the large circle with only one signing node is. It is a Romanian furniture company that gives every employee its own key via a Mailgate (supposedly). The central key in the middle is the MOBEXPERT Group Postmaster Sign Key. Similar central nodes can be found for example for CS4264 (This is for the project of class CS4264 and instructional purpose)
But in general there are known big names. And the list is long. There are keys from Mozilla, RIPE, CERN, FreeBSD. Whomever you choose to trust, you will probably find in this dataset.
I chose some of these Domains to color the graph.
This gives us some interesting insight into how People connect.
Suse (the green dots in the upper right corner), Apache (red dots next to Suse) and Ubuntu (organe dots in the upper left corner) are mostly clustered. This means, that they are connected on a community level and tend to not sign a lot of keys outside of this. Whereas debian (red), arch (blue) and kernel (yellow) developers are spread out all across the web. They also sign a lot outside of their own community and are more briding the gaps.
So onto the Question, who signs the most Keys?
- MOBEXPERT with 509 Signatures. Which I assume is the number of employees this company have or had in the past.
- Pavel Dostal (QA Maintenance Engineer at SUSE) with 242 Signatures.
- David Seifert (Gentoo) with 240 Signatures.
StageX
So back to the initial question. Do you trust Suse? Ubuntu? Debian? Or maybe you are more on the Enterprise site and trust RedHat.
In reality you do not have to trust anyone in StageX. The whole security model is written in a way that it is self contained. You can build the whole tree yourself and verify from Hex0 up to whatever you are expecting.
But you can also verify that the people working on StageX are interconnected to the trust anchors you already know. Developers for the largest distributions that power the whole internet to people that build the kernel.
Lets look at an example to proof that.
Here you can see the direct connections from one of StageX Maintainers.
If we expand that onto two degrees of freedom we already reach Debian and Arch Developers.
On three degrees we are already reaching Kernel, Ubuntu and others.
And on five degrees we reached about 75 % of the whole web.
This example only takes one Maintainer to explain the idea of a interconnected web of trust. If you take all Maintainers this target verifies itself much quicker.
If you have any comments on this you can E-Mail me at z.kron@lugges.eu. I also offer professional implementation support for StageX via this E-Mail!
Zoë 💗