[GNUnet-developers] gnunet-guile reboot & guix (take two)

[amirouche]

Hello all,


After discussing gnunet & guix at fosdem with gnunet
people I have better picture of where things can go.

The short story is:

1) There is no way to know the gnunet hash aka. gnunet uri
  of a substitute before the build.

2) There is no way to associate gnunet hash and guix hash
  in a secure/trusted manner over gnunet. Except maybe
  if we use GNS to publish guix hash as subdomains of
  substitute-server.guix.gnu?

Possible solutions:

a) Add the gnunet-uri of the substitute in the package
  definition. This can only work if the package is
  reproducible aka. the build is always the same given
  the same package definition. For reproducible builds,
  it will be possible to offload the build and
  the download over gnunet.

b) Use a central repository (!) which must be trusted and
  which will provide a map of guix hash <-> gnunet hash
  based on builds done locally. This way we can offload
  the download of the files to gnunet...
  That said, the central repository is still a SPOF.

Solution b) is not a massive improvement over the current
situation, that said maybe that is good enough. It's the
easy solution. We must:

i) change the substitute server to publish over gnunet
   new builds and add the gnunet hash to a local
   database.

ii) change the substitute server to publish
    guix hash <-> gnunet hash association file

iii) change guix, to fetch the association file from
     a trusted server and then download over gnunet
     the files.

Solution a) is my prefered because it's truly peer-to-peer
but it leads to complicated workflow for builds that are
not reproducible since we must reset the gnunet uri in
the package definition from a trusted build server.
I am not sure how it's possible to rewrite a package
definition in guile right now.

WDYT?