From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qCmoKysY6V45QgAA0tVLHw (envelope-from ) for ; Tue, 16 Jun 2020 19:06:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id +CBlJysY6V74LgAAbx9fmQ (envelope-from ) for ; Tue, 16 Jun 2020 19:06:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 518939401CF for ; Tue, 16 Jun 2020 19:06:19 +0000 (UTC) Received: from localhost ([::1]:38820 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jlGuY-0004Wm-41 for larch@yhetil.org; Tue, 16 Jun 2020 15:06:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43802) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlGuQ-0004We-9S for guix-devel@gnu.org; Tue, 16 Jun 2020 15:06:10 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:33629) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jlGuL-0002p1-U0; Tue, 16 Jun 2020 15:06:10 -0400 Received: from localhost (unknown [46.237.174.223]) by mira.cbaines.net (Postfix) with ESMTPSA id 61AA127BBE1; Tue, 16 Jun 2020 20:06:03 +0100 (BST) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id d7180b53; Tue, 16 Jun 2020 19:06:00 +0000 (UTC) References: <87lfkq8ugk.fsf@cbaines.net> <87o8pjwdwx.fsf@gnu.org> User-agent: mu4e 1.2.0; emacs 26.3 From: Christopher Baines To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: K of N trust in substitutes (related to reproducible builds) In-reply-to: <87o8pjwdwx.fsf@gnu.org> Date: Tue, 16 Jun 2020 20:05:58 +0100 Message-ID: <874krabzl5.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/16 15:06:03 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: XJfagVqnTlgY --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> 3: http://theworld.com/~cme/spki.txt >> >> Using the above ACL, you'd trust a substitute for a path with a specific >> hash if you can find 2 narinfos for that path and hash if they're signed >> with keys in that entry. Multiple entries would still be supported, and >> you wouldn't need to specify the k-of-n bit if you don't want to. >> >> I'm not quite sure how expressive this is, or if there are some policies >> that would be good to support that either can't be expressed, or can't >> be expressed easily. There's probably other approaches, and how to >> support trusting substitutes is an important part to consider. > > I would be tempted to not bake it into /etc/guix/acl. You would still > authorize all the servers, but instead of choosing a policy that accepts > anything signed by one of them, as is currently the case, you would > choose a policy that only accepts something signed by two of them. > > The policy would be implemented in (guix scripts substitute). I haven=E2= =80=99t > put much thought into it but it could be something akin to > =E2=80=98lookup-narinfos/diverse=E2=80=99, roughly. > > Thoughts? I think that could work, do you have any suggestions on how that "two" would be configured? I guess it could be a boolean on/off, but it would be probably more extensible to just allow providing a minimum number of substitiute servers to agree. Thanks, Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl7pGBZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9Xd30RAAp+2bONtCgDQFSgUtCId1MqcWjviyaqnoCbNKAwvfEBUGmV3Knu2+ZNq6 Ciqdk8FMzp1FDgokCyYlQ8OQI2TCSqQNh5VUO7GZ4FTZGo0/GCcu0NVZQ6bBIA2f zRAeh7fqBrnz7g31auEvRlzDG8frosU4aPo8jF8qov+2La2qutbPls40YCx56pQt 6WqaFp5sHowGScpfWC7VG74GC8La79/WEcdIP9MOvrydu6DoC5MVY0mel9IYQG+f UlsqcuxPETMifAQ75DorTZW10tJ5JaGwDEEg3DJyVvmvOl6uDWAs/XFa1WIdL5P2 VgpLm4x/7yXi0IG4sUPW1lc93FcSrjJ+va+Y/3rNpD7eYk/I/uhrmESUHdKSmsDY f/hZ8mRA/S+jgH2eiTUD0obyOEXwFuVWoZqHgdc44xqsq39YB0ERHu0+rBehcyv8 /CVqxA/flQG54OOREWVTRNJl/ICrUF2m+Bm05mNhYVIVm3yPSE/bAS8NOI58x+Br UeRdzNXItKRYCzslCcmfNBybkEVzJcT6KrFCFok8BfXRdUwfIO262YICpE44j/5b 573eBZO283LaejMlRKakFhoOegYtpb84qgpnJjURWjQwjqPb3G1JiKJ6o8B33Z0K blD+Q0yZUsBNpkNhXQ1FpUhnSPr8kJ2/aOwsh3aV9TvZdW0i2e0= =mCVs -----END PGP SIGNATURE----- --=-=-=--