On 2022-06-11, Maxime Devos wrote:
> jbranso@dismail.de schreef op za 11-06-2022 om 16:06 [+0000]:
>> What's good and/or bad about this idea?
>
> A positive point: extra resources, could be useful for reproducibility
> testing, ...?
>
> A negative point: extra points through with malware can be introduced
> (->compromises).  Can be solved by reproducible builds and variation of
> "guix challenge". Unfortunately, "guix challenge" is inherently racy.
> "guix substitute" currently only checks that the narinfo has a _single_
> authorised signature, maybe it can be adjusted to allow the user to
> ask: ‘only consider a substitute to be authorised if the same hash is
> signed by N different authorised keys’?

Even without "signed by N" reproducible builds and guix substitute
servers have some very interesting qualities!

It's been a while since I've tested, but I seem to recall setting up a
situation where I had a untrusted substitute server locally (e.g. I
didn't add that server's keys to guix's trusted keys), and also
configured my guix machine to use the default guix substitute servers
(which were in the guix acl for authorized keys).

Roughly approximated as:

  guix COMMAND --substitute-urls='https://untrusted.example.com https://ci.guix.gnu.org https://bordeaux.guix.gnu.org'

For packages that build reproducibly, you could actually download the
signatures (which are fairly small) from the "trusted" substitute
servers, but download the actual packages (which can be quite large)
from the "untrusted" substitute server...

I've actually been wondering if one couldn't make this behavior more
explicit, e.g. have substitute servers that *only* served signatures,
and substitute servers that *only* served (unsigned?) builds. I guess
you can more-or-less create this effect by never publishing the key that
packages are signed with for the untrusted/untrustable substitute
server?

Anything that you can download from the "unstrusted" server is
demonstratably reproducible, because a "trusted" server also built it.
presuming, of course, both servers are actually performing the builds,
but worst case you still get the bit-for-bit identical packages as the
"trusted" substitutes.

It's an awesome way to be able to distribute the downloads for that 80%
and growing number of packages that are reproducible away from the
default substitute servers, without actually having to even place much
trust an arbitrary third party, other than metadata about what you've
downloaded...


I remember this being one of my favorite features of guix that I learned
about early on, but haven't really done much with it!


live well,
  vagrant