Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives)

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives)

From:	Ludovic Courtès
Subject:	Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives)
Date:	Sat, 22 Feb 2014 00:10:22 +0100
User-agent:	Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

Mark H Weaver <address@hidden> skribis:

> Nikita Karetnikov <address@hidden> writes:
>
>> 3. How does a user get Hydra’s public key?
>>
>> 4. Will the entire cache be signed with a single key?  (Mark, would you
>>    like to add something?)
>
> FWIW, I think it's a mistake to have Hydra sign all binaries.  Doing
> this would make Hydra a single-point of failure, and therefore a very
> worthwhile machine for someone to hack into.

Ah, agreed.  But I think here “Hydra” was understood as “the build
machine behind hydra.gnu.org”, not specifically the machine at
hydra.gnu.org.

I think the first milestone will be to have signatures at all, but I
agree that what you describe is the next one.

> Instead, the binaries should be signed by the build machine that
> produced them.  Hydra's job should simply be to collect the set of
> signatures that have been made on a given binary.  Initially, the build
> machine's signature would be the only one,

If there are several build slaves behind hydra.gnu.org, the offload hook
could also collect signatures from those machines.

> but then users should be able to upload their own signatures to Hydra,
> after they have independently verified that a given derivation
> produces a given binary.

Agreed.  (That would mean either modifying Hydra, or coming up with an
alternative system, I think.)

[...]

> As far as I can tell, the trust metric algorithms are directly
> applicable to Guix.  I think that we should simply copy all of the
> concepts and algorithms from GPG.

The analogies you make indeed show which concepts could be applicable.

Technically, I think SPKI is more appropriate than OpenPGP here, because
OpenPGP is really about certifying bindings between email addresses and
human beings.  (And ‘guix authenticate’ & co. already is very SPKI-like.)

In particular, as Niels mentioned recently, delegation in SPKI may help
address some of these issues: users could publish delegation
certificates for the ‘guix-import’ tag, meaning that A trusts B for the
purposes of importing archives signed by B.

>From there, I think we should try to come up with a road map, because
it’ll be hard to address all of that at once.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Signed archives, Nikita Karetnikov, 2014/02/03
- Re: Signed archives, Ludovic Courtès, 2014/02/04
  - Re: Signed archives, Nikita Karetnikov, 2014/02/20
    - Re: Signed archives, Ludovic Courtès, 2014/02/21
    - Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/27
    - Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/27
    - Applying the GPG web-of-trust to Guix (was Re: Signed archives), Mark H Weaver, 2014/02/21
    - Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives), Ludovic Courtès <=

Prev by Date: New ‘git-fetch’ download method
Next by Date: Re: GNUnet build failure on mips64el
Previous by thread: Applying the GPG web-of-trust to Guix (was Re: Signed archives)
Next by thread: dmd: make user-mode easier to use.
Index(es):
- Date
- Thread