Simon Josefsson

Twitter Profile link: https://twitter.com/jas4711

Fediverse Profile link: https://fosstodon.org/@jas

Other Social: https://salsa.debian.org/jas

github profile: https://github.com/jas4711/

gitlab profile: https://github.com/jas

I like free software, protocols and standardization, computer security and other things.

Accepted Talks:

De-vendoring Gnulib in Debian

I will describe a new way to maintain Debian packages whose upstream use gnulib. This avoids vendoring gnulib files which allows several advantages, including being able to security patch gnulib code in one package (the Debian gnulib package) and have that code trickle down to all packages using gnulib. Another advantage is reducing the amount of duplicated code that people have to audit to find concerns like the xz utils incident.

Apt Transparency

How to improve security of apt repositories with transparency techniques. I will describe attack threat models we should protect against that the apt ecosystem currently do not have any defense against. This goes beyond the current PGP/GnuPG-based trust system. I propose we need a mechanism inspired by WebPKI’s Certificate Transparency, and that we consider existing technologies such as HTTPS canary files, Sigstore’s public transparency log, Sigsum’s public transparency log, and Filippo Valsorda’s spicy signatures. I will talk about interactions with reproducible builds to increase safety of package upgrades.