Web of Trust

In the wake of the March 2024 supply-chain attack on XZ Utils — which attempted to smuggle a backdoor into Linux distributions — FreeSewing has taken steps to guard against the attack vector where a contributor gains trust over a long period of time, with the end goal to smuggle malicious code into the project.

Elevated permissions or access will only be granted to people who are in FreeSewing’s web of trust.

We have established an initial web of trust (more on this below) and have revoked elevated permissions from all other contributors.

NOTE
Paranoia much?

We appreciate that — given to the nature of software FreeSewing provides — the chances of a supply chain attack by an adversary willing to invest months or even years to gain our trust are vanishingly small.

Still, we are a small part of the larger open source ecosystem, and we cannot foresee the ways in which others may end up using our software. In addition, we want to help normalize this approach, and help raise awareness of the risks involved in trusting pseudo-anonymous contributions.

Defining trust

To understand what we mean by a web of trust, we need to keep in mind what we want to guard against. In other words, the web of trust should prevent:

Someone attempting to gain our trust — possibly over a prolonged period of time — to achieve a malicious goal.

Right from the start, you can see that this is impossible. There is no real way to know people’s true intentions, so we cannot guard against that. However, if we assume people try to pull this off without giving up their real identity, we can instead just focus on identity instead.

The FreeSewing community exists almost exclusively online. In contrast, FreeSewing’s web of trust is made up of people who know and have verified each others real identities.

In other words, to gain elevated permissions or access in FreeSewing, we need to know who you are and where you live.

Joining the web of trust

To join FreeSewing’s web of trust, you should:

  • Be a contributor
  • Reach out to one of the current trustees
  • Meet up with them — physically, in the real world — and verify each other’s identities.
  • Once the current trustee vouches for your identity, you can be added to the web of trust
NOTE

Being a trustee is a requirement to be granted elevated privileges. It ddoes not automatically grant them.

FreeSewing’s web of trust

SudanSouth SudanGeorgiaAbkhaziaSouth OssetiaPeruBurkina FasoFranceGuadeloupeMartiniqueReunionMayotteFrench GuianaLibyaBelarusPakistanAzad KashmirIndonesiaYemenMadagascarBolivia, Plurinational State ofSerbiaKosovoCote d'IvoireAlgeriaSwitzerlandCameroonNorth MacedoniaBotswanaKenyaJordanMexicoUnited Arab EmiratesBelizeBrazilSierra LeoneMaliCongo, Democratic Republic of theItalySomaliaSomalilandAfghanistanBangladeshDominican RepublicGuinea-BissauGhanaAustriaSwedenTurkeyUgandaMozambiqueNew ZealandCubaVenezuela, Bolivarian Republic ofPortugalColombiaMauritaniaAngolaGermanyThailandAustraliaPapua New GuineaIraqCroatiaGreenlandNigerDenmarkLatviaRomaniaZambiaMyanmarEthiopiaGuatemalaSurinameCzech RepublicChadAlbaniaFinlandSyrian Arab RepublicKyrgyzstanSolomon IslandsOmanPanamaArgentinaUnited Kingdom of Great Britain and Northern IrelandCosta RicaParaguayGuineaIrelandNigeriaTunisiaPolandNamibiaSouth AfricaEgyptTanzania, United Republic ofSaudi ArabiaViet NamRussian FederationCrimeaHaitiBosnia and HerzegovinaIndiaChinaHong KongMacaoTaiwanCanadaEl SalvadorGuyanaBelgiumEquatorial GuineaLesothoBulgariaBurundiDjiboutiAzerbaijanNagorno-KarabakhIran, Islamic Republic ofMalaysiaPhilippinesUruguayCongoMontenegroEstoniaRwandaArmeniaSenegalTogoSpainGabonHungaryMalawiTajikistanCambodiaKorea, Republic ofHondurasIcelandNicaraguaChileMoroccoWestern SaharaSahrawi Arab Democratic Republic (Free Zone)LiberiaNetherlandsBonaire, Sint Eustatius and SabaCentral African RepublicSlovakiaLithuaniaZimbabweSri LankaIsraelGaza Strip (State of Palestine)West Bank (State of Palestine)Lao People's Democratic RepublicKorea, Democratic People's Republic ofGreeceTurkmenistanEcuadorBeninSloveniaNorwayMoldova, Republic ofTransnistriaUkraineDonetsk People's RepublicLuhansk People's RepublicLebanonNepalEritreaUnited States of AmericaKazakhstanFrench Southern TerritoriesEswatiniUzbekistanMongoliaBhutanNew CaledoniaFijiKuwaitTimor-LesteBahamasVanuatuFalkland Islands (Malvinas)South Georgia and the South Sandwich IslandsGambia, Republic of TheQatarJamaicaCyprusNorthern CyprusPuerto RicoBrunei DarussalamTrinidad and TobagoCabo VerdeFrench PolynesiaSamoaLuxembourgComorosMauritiusFaroe IslandsSao Tome and PrincipeVirgin Islands, U.S.CuracaoSint Maarten (Dutch Part)DominicaTongaKiribatiMicronesia, Federated States ofBahrainNorthern Mariana IslandsPalauSeychellesAntigua and BarbudaBarbadosTurks and Caicos IslandsSaint Vincent and the GrenadinesSaint LuciaGrenadaMaltaMaldivesCayman IslandsSaint Kitts and NevisMontserratSaint BarthelemyNiueSaint Pierre and MiquelonCook IslandsWallis and FutunaAmerican SamoaMarshall IslandsArubaLiechtensteinVirgin Islands, BritishSaint Helena, Ascension and Tristan Da CunhaJerseyAnguillaSaint Martin (French Part)GuernseySan MarinoBermudaTuvaluNauruGibraltarPitcairnMonacoHoly See (Vatican City State)Isle of ManGuamSingaporeNorfolk IslandTokelau
Last update: Apr 2, 2024

Trustees

UserLocation
Antwerp
Seattle
Chicago
esmTutorials