This is a research talk about tampering – unauthorized changes in the path from source to production. Promise theory says trust requires verification, and that is the thread running through this entire investigation. Starting from a pristine laptop with its certificate authorities and trusted hardware, every step forward introduces new trust decisions.
TLS is the foundation, but we rarely inspect it. Node.js supports wide-open cipher suites by default – narrowing them is a simple environment variable change. Certificate revocation checking is effectively broken: curl does not validate it, Let’s Encrypt improved the situation with short-lived certificates, and certificate transparency monitoring (via Facebook’s tools) lets you detect rogue certificates requested for your domain. DNS CAA records let you specify which certificate authorities are trusted for your domain, though adoption is thin.
DNS itself is still unsolved. DNSSEC should be the answer, but NPM, GitHub, and even curl do not support it. The homebrew install command – piping Ruby from GitHub to your shell – is a trust leap we all take without thinking. At least Node provides GPG-signed binaries with documented verification steps, though the process is clunky. Docker Desktop verification goes through Apple’s signing system, with no standalone checksum available.
Library trust is a four-dimensional problem: competence (CVEs, tests, documentation), reliability (release cadence, community activity), sincerity (code of conduct, governance), and care (pull request responsiveness, commit activity). Package managers run post-install scripts that can execute anything – the npm advertising incident demonstrated this clearly. Docker’s trust model uses TUF (The Update Framework) with separated keys, threshold signatures, offline root keys, and fast revocation – principles that actually saved Docker Hub during a real breach.
The Bitcoin core team’s multi-build consensus approach – multiple people compiling on different systems and comparing checksums – is the most rigorous verification I found. Reproducible builds remain brutally hard: Debian has invested enormous effort and is still not fully there. Bazel takes the hermetic builds approach, specifying the entire toolchain as dependencies. Distroless Docker images reduce the attack surface to just the binary. In-toto records every build step with signatures. But ultimately, transparency and consensus are the path forward – not one authority saying “yes it’s secure,” but collective verification that builds trust.
Watch on YouTube – available on the jedi4ever channel
This summary was generated using AI based on the auto-generated transcript.