Ludovic Courtès writes: >> 3: http://theworld.com/~cme/spki.txt >> >> Using the above ACL, you'd trust a substitute for a path with a specific >> hash if you can find 2 narinfos for that path and hash if they're signed >> with keys in that entry. Multiple entries would still be supported, and >> you wouldn't need to specify the k-of-n bit if you don't want to. >> >> I'm not quite sure how expressive this is, or if there are some policies >> that would be good to support that either can't be expressed, or can't >> be expressed easily. There's probably other approaches, and how to >> support trusting substitutes is an important part to consider. > > I would be tempted to not bake it into /etc/guix/acl. You would still > authorize all the servers, but instead of choosing a policy that accepts > anything signed by one of them, as is currently the case, you would > choose a policy that only accepts something signed by two of them. > > The policy would be implemented in (guix scripts substitute). I haven’t > put much thought into it but it could be something akin to > ‘lookup-narinfos/diverse’, roughly. > > Thoughts? I think that could work, do you have any suggestions on how that "two" would be configured? I guess it could be a boolean on/off, but it would be probably more extensible to just allow providing a minimum number of substitiute servers to agree. Thanks, Chris