[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Applying the GPG web-of-trust to Guix (was Re: Signed archives)
From: |
Mark H Weaver |
Subject: |
Applying the GPG web-of-trust to Guix (was Re: Signed archives) |
Date: |
Fri, 21 Feb 2014 17:10:37 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
Nikita Karetnikov <address@hidden> writes:
> 3. How does a user get Hydra’s public key?
>
> 4. Will the entire cache be signed with a single key? (Mark, would you
> like to add something?)
FWIW, I think it's a mistake to have Hydra sign all binaries. Doing
this would make Hydra a single-point of failure, and therefore a very
worthwhile machine for someone to hack into.
Instead, the binaries should be signed by the build machine that
produced them. Hydra's job should simply be to collect the set of
signatures that have been made on a given binary. Initially, the build
machine's signature would be the only one, but then users should be able
to upload their own signatures to Hydra, after they have independently
verified that a given derivation produces a given binary.
I think that the design of the GPG web-of-trust is exactly applicable
here, in almost all respects. Whereas the GPG web-of-trust is designed
to allow users to gain confidence that a public key was truly produced
by a given person, our Guix web-of-trust should be designed to give
confidence that a given binary was truly produced by a given derivation.
Just as GPG keyservers allow anyone to add their signatures to certify
that a public key was produced by a given person, and then distributes
all of the accumulated signatures to anyone who requests a key, Guix
hydra servers should allow anyone to add their signatures, and
distribute all of them to anyone who requests a binary.
Just as GPG allows users to specify how much they trust they place on a
given person to certify that other keys were produced by their owners,
Guix client software should allow users to specify their trust in a
given person or build machine to certify that a given binary was
produced by a given derivation.
Finally, just as GPG computes a metric of how much confidence you should
have that a given key was produced by a given person, based on all of
the above information, Guix should also produce such a metric.
As far as I can tell, the trust metric algorithms are directly
applicable to Guix. I think that we should simply copy all of the
concepts and algorithms from GPG.
What do you think?
Mark
- Re: Signed archives, (continued)
- Re: Signed archives, Ludovic Courtès, 2014/02/04
- Re: Signed archives, Nikita Karetnikov, 2014/02/20
- Re: Signed archives, Ludovic Courtès, 2014/02/21
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/27
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/27
- Re: Signed archives (preliminary patch), Mark H Weaver, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Applying the GPG web-of-trust to Guix (was Re: Signed archives),
Mark H Weaver <=
- Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives), Ludovic Courtès, 2014/02/21