chore: Added web-of-trust

2024-04-06 13:21:04 +02:00 · 2024-04-06 13:21:04 +02:00 · f1bec11ae7
commit f1bec11ae7
parent 15b44fceb9
6 changed files with 9635 additions and 0 deletions
--- a/config/trustees.mjs
+++ b/config/trustees.mjs
@ -0,0 +1,35 @@
+/*
+ * This defines the FreeSewing web of trust
+ * See: https://FreeSewing.dev/reference/trust
+ */
+export const trustees = {
+  1: {
+    x: 1306,
+    y: 319,
+    title: 'joost',
+    in: 'Antwerp',
+  },
+  132: {
+    x: 457,
+    y: 345,
+    title: 'woutervdub',
+    in: 'Seattle',
+  },
+  13050: {
+    x: 668,
+    y: 399,
+    title: 'karen',
+    in: 'Chicago',
+  },
+}
+
+/*
+ * These are the connections between the trustees
+ * See: https://FreeSewing.dev/reference/trust
+ */
+export const connections = [
+  [1, 132],
+  [1, 13050],
+]
+
+export const lastUpdate = '20240402'
--- a/markdown/dev/reference/trust/en.md
+++ b/markdown/dev/reference/trust/en.md
@ -0,0 +1,62 @@
+---
+title: Web of Trust
+---
+
+In the wake of [the March 2024 supply-chain attack on XZ
+Utils](https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/) --
+which attempted to smuggle a backdoor into Linux distributions -- FreeSewing has
+taken steps to guard against the attack vector where a contributor gains trust
+over a long period of time, with the end goal to smuggle malicious code into the project.
+
+__Elevated permissions or access will only be granted to people who are in FreeSewing's web of trust__.
+
+We have established an initial web of trust (more on this below) and have
+revoked elevated permissions from all other contributors.
+
+<Note>
+
+##### Paranoia much?
+
+We appreciate that -- given to the nature of software FreeSewing provides -- the chances of a supply chain attack by an adversary willing to invest months or even years to gain our trust are vanishingly small.
+
+Still, we are a small part of the larger open source ecosystem, and we cannot foresee the ways in which others may end up using our software.
+In addition, we want to help normalize this approach, and help raise awareness of the risks involved in trusting pseudo-anonymous contributions.
+
+</Note>
+
+## Defining trust
+
+To understand what we mean by a _web of trust_, we need to keep in mind what we want to guard against.
+In other words, the web of trust should prevent:
+
+**Someone attempting to gain our trust -- possibly over a prolonged period of time -- to achieve a malicious goal.**
+
+Right from the start, you can see that this is impossible. There is no real way to know people's true intentions, so we cannot guard against that.
+However, if we assume people try to pull this off without giving up their real identity, we can instead just focus on identity instead.
+
+The FreeSewing community exists almost exclusively online.
+In contrast, **FreeSewing's web of trust is made up of people who know and have verified each others _real_ identities**.
+
+In other words, to gain elevated permissions or access in FreeSewing, we need to know who you are and where you live.
+
+## Joining the web of trust
+
+To join FreeSewing's web of trust, you should:
+
+- Be a contributor
+- Reach out to one of the current trustees
+- Meet up with them -- physically, in the real world -- and verify each other's identities.
+- Once the current trustee vouches for your identity, you can be added to the web of trust
+
+<Note>
+Being a trustee is a requirement to be granted elevated privileges. It ddoes not automatically grant them.
+</Note>
+
+## FreeSewing's web of trust
+
+<WebOfTrustMap />
+
+## Trustees
+
+<WebOfTrustTable />
+
--- a/sites/dev/components/web-of-trust.mjs
+++ b/sites/dev/components/web-of-trust.mjs
--- a/sites/shared/components/icons.mjs
+++ b/sites/shared/components/icons.mjs
@ -455,6 +455,13 @@ export const LockIcon = (props) => (
  </IconWrapper>
 )

+export const MapMarkerIcon = (props) => (
+  <IconWrapper {...props}>
+    <path d="M15 10.5a3 3 0 1 1-6 0 3 3 0 0 1 6 0Z" fill />
+    <path d="M19.5 10.5c0 7.142-7.5 11.25-7.5 11.25S4.5 17.642 4.5 10.5a7.5 7.5 0 1 1 15 0Z" />
+  </IconWrapper>
+)
+
 export const MastodonIcon = (props) => (
  <IconWrapper {...props} fill stroke={0}>
    <path d="m 11.217423,0.1875 c -2.8267978,0.0231106 -5.545964,0.32921539 -7.1306105,1.056962 0,0 -3.14282962,1.4058166 -3.14282962,6.2023445 0,1.0983506 -0.021349,2.4116171 0.013437,3.8043315 0.11412502,4.690743 0.85993502,9.313695 5.19692442,10.461603 1.9996899,0.529281 3.7166529,0.640169 5.0993757,0.564166 2.507534,-0.139021 3.915187,-0.894849 3.915187,-0.894849 l -0.08272,-1.819364 c 0,0 -1.79194,0.564966 -3.804377,0.496111 -1.9938518,-0.06838 -4.0987697,-0.214969 -4.4212502,-2.662908 -0.029782,-0.215025 -0.044673,-0.445024 -0.044673,-0.686494 0,0 1.9573364,0.47844 4.4378282,0.592088 1.516743,0.06957 2.939062,-0.08886 4.383732,-0.261231 2.770451,-0.330816 5.182722,-2.037815 5.485905,-3.597546 0.477704,-2.456993 0.438356,-5.9959075 0.438356,-5.9959075 0,-4.7965279 -3.142655,-6.2023445 -3.142655,-6.2023445 C 16.83453,0.51671539 14.113674,0.21061063 11.286876,0.1875 Z M 8.0182292,3.9352913 c 1.177465,0 2.0690118,0.4525587 2.6585778,1.3578046 l 0.573249,0.9608111 0.573247,-0.9608111 c 0.589448,-0.9052459 1.480995,-1.3578046 2.65858,-1.3578046 1.017594,0 1.837518,0.3577205 2.463657,1.0555661 0.606959,0.6978459 0.909169,1.6411822 0.909169,2.8281631 V 13.626816 H 15.553691 V 7.9896839 c 0,-1.1882914 -0.49996,-1.7914432 -1.500043,-1.7914432 -1.10575,0 -1.659889,0.715401 -1.659889,2.1301529 V 11.413948 H 10.106352 V 8.3283936 c 0,-1.4147519 -0.5543138,-2.1301529 -1.6600628,-2.1301529 -1.000084,0 -1.5000426,0.6031518 -1.5000426,1.7914432 V 13.626816 H 4.6452275 V 7.8190205 c 0,-1.1869809 0.3022656,-2.1303172 0.9093441,-2.8281631 C 6.1805914,4.2930118 7.0005147,3.9352913 8.0182292,3.9352913 Z" />
--- a/sites/shared/components/mdx/index.mjs
+++ b/sites/shared/components/mdx/index.mjs
@ -19,6 +19,8 @@ import { MeasieImage } from 'shared/components/measurements/image.mjs'
 // Dev/Org jargon
 import { Term as SharedTerm, termList } from 'shared/components/jargon.mjs'
 import { jargon, site } from 'site/prebuild/jargon.mjs'
+// Dev web of trust
+import { WebOfTrustMap, WebOfTrustTable } from '../../../dev/components/web-of-trust.mjs'

 export const Term = ({ children }) => <SharedTerm {...{ jargon, children, site }} />
 export const TermList = termList(jargon, site)
@ -69,6 +71,8 @@ export const components = (site = 'org', slug = []) => {
      ...extra,
      Method: HttpMethod,
      StatusCode: HttpStatusCode,
+      WebOfTrustTable,
+      WebOfTrustMap,
    }

  const specific = {}
--- a/sites/shared/styles/globals.css
+++ b/sites/shared/styles/globals.css
@ -663,3 +663,18 @@ details[open] > summary > svg.summary-chevron {
 details > summary:hover > svg.summary-chevron {
  stroke-width: 5;
 }
+
+svg.svg-world path {
+  fill: currentColor;
+  fill: theme('colors.primary');
+  fill-opacity: 0.2;
+  stroke: theme('colors.primary');
+  stroke-opacity: 0.666;
+}
+
+svg.svg-world circle.user,
+svg.svg-world path.connection {
+  fill: none;
+  stroke: theme('colors.accent');
+  stroke-opacity: 0.666;
+}