Where did this idea come from?

This project draws inspiration from a variety of sources. Technically it relies on a large amount of the ecosystem developed for the Go modules ecosystem. It also is inspired by a design doc for Binary Transparency originally designed for the Mozilla Firefox project.

Why not build this ontop of blockchain?

Blockchain could be used to create a similar guarantee. However, using transparency log technology extends a number of advantages and was a pragmatic choice to get this project going: the industry momentum of transparency log technology (1) and Go modules, leverage existing web technologies like DNS and TLS, and finally most practical applications that want to use blockchain with the web end up using a centralized gateway for speed and reliability (3)(4). Perhaps as the bridge between the web and blockchain matures it will become a more practical option.

Why not use GPG keys or other public key signing?

This is complimentary to public key signing! Public key signing asserts that someone with access to the private key signed the exact content. But, the private key can be used to generate an unlimited number of signatures for different content. If the URLs contents are both signed and logged in the URL content record then there is a guarantee that both the owner of the private key signed the content AND the content being fetched is cryptographically identical to the content other people are fetching using tl.

Where does the name tl come from?

tl stands for transparency log.

What are examples of practical attacks this could mitigate?

A well known example is the Feb. 2016 attack on the Linux Mint project where an attacker replaced a version of a Linux Mint release with a new version that included a backdoor vulnerability. With luck this was detected and mitigated within a day, however, there are likely many projects that have been attacked in a similar way without catching the attack. Further, the project could not make a strong assurance to the community on how long they were vulnerable, only stating "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.". By ensuring the cryptographic digests of all releases end up in a publicly audited log the project could have stated exactly when the content changed and potentially used a Certificate Transparency monitor to get notified quickly once it happened.

What happens if a URLs contents are modified?

URLs whos contents will change aren't a good use case for fetching via tl. The first contents the service sees for a URL will be the contents that are stored forever.

Could this be integrated into curl/wget/Chrome/Firefox/etc?

Absolutely! Building asset transparency was a bit of a chicken or the egg issue: both the asset transparency log service and the clients needed to be built. Our hope is that our experiments with tl will be so successful that browsers, software auto-updaters, and command line tools will natively integrate with it. Maybe one day OSes will even offer asset transparency as a first class subsystem alongside certificates today!

If you have a question that isn't answered here please open an issue.