Trust in Distributed Environments
================================================================================

A few days ago, in the `#kisslinux` IRC channel, jedahan mentioned an
implementation for trust in the package manager. While I was intrigued by the
idea initially, I decided not to implement this for the upcoming 4.0.0 release.
That is because the package manager and the distribution itself is already
centered on trust. However, this idea made me think a lot about "trust" in
distributed environments.

Who and what would you trust? Would you trust Microsoft? Would you trust a
binary? Would you only trust a so called "reproducible" build?

Jedahan mentioned the possibility that a repository maintainer could create a
package that would be normally in the distribution so they could mess your
system up. He suggested a "source" system where you know where each package
comes from. This way the package manager can warn you when the source of a
package is changed. As I have said this idea intrigued me at the beginning, but
here is why it is complex and unnecessary.

The package manager would warn you every time you fork a package and apply your
changes. Both with kiss and CPT, you already see git logs when the repositories
are fetched. Those logs address each and every file that has been edited, added,
removed, or renamed. CPT also has support for rsync, which is called verbosely.
While not as descriptive, rsync also shows what's changed/added and what's
deleted.

Also, back on April, I have added submodule support to my fork of kiss, which
Dylan adapted on May 19. I have added this feature because it solves a similar
issue. I want to have only some packages from a repository and leave the rest
of them. This way I am the one in control of what goes inside my repositories.

Minor annoyances aside, would this solve the issue of trust? Maybe this evil
repository maintainer decides to botch a package that was already in their
repository not provided by your distribution. Should we then track the source
files, build files as well? But those change all the time.

I believe that this environment is as trustworthy as it can get, a repository
system with package build instructions that easy to read and understand, easy to
history check, easy to limit, and easy to allow. KISS and Carbs Linux have a
single maintainer. I maintain Carbs and Dylan maintains KISS. You are not
trusting an organization, you are trusting individuals that you can easily
converse on the internet. The same goes for most community repository
maintainers out there. Trying to implement more would be a "security theater"
that would be a hassle for the maintainers, the users and the package manager
without a noticeable benefit to any.