From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gO4qArEmbWGCewAAgWs5BA (envelope-from ) for ; Mon, 18 Oct 2021 09:48:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id sPZ+ObAmbWHFKwAA1q6Kng (envelope-from ) for ; Mon, 18 Oct 2021 07:48:00 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 661972AB8A for ; Mon, 18 Oct 2021 09:48:00 +0200 (CEST) Received: from localhost ([::1]:60754 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mcNNH-0004Qj-JH for larch@yhetil.org; Mon, 18 Oct 2021 03:47:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50524) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcNN2-0004QN-Ch for guix-devel@gnu.org; Mon, 18 Oct 2021 03:47:47 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:11453) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcNN0-0001Ve-Ri for guix-devel@gnu.org; Mon, 18 Oct 2021 03:47:44 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AskNNsKinZ39Kb+CsTR3qBxeB03BQXr0ji2hC?= =?us-ascii?q?6mlwRA09TyX+raGTdZUguyMc5wxhO03I9erwWpVoIkmyyXcK2+ks1N6ZNWGM0l?= =?us-ascii?q?dAR7sP0WKN+VDdJxE=3D?= X-IronPort-AV: E=Sophos;i="5.84,326,1620684000"; d="scan'208";a="534439704" Received: from unknown (HELO ribbon) ([193.50.110.252]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2021 09:47:41 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Thiago Jung Bauermann Subject: Re: Tricking peer review References: <874k9if7am.fsf@inria.fr> <2932876.amfyGXvyGV@popigai> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 =?utf-8?Q?Vend=C3=A9miaire?= an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 18 Oct 2021 09:47:41 +0200 In-Reply-To: <2932876.amfyGXvyGV@popigai> (Thiago Jung Bauermann's message of "Fri, 15 Oct 2021 20:13:36 -0300") Message-ID: <877deadbaa.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Liliana Marie Prikler Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634543280; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Dd/o8y7c7KDYeTc8LehohVsgFtKSitbNbjLFVFZzzgY=; b=A9fFfiS+8fjNghqeL64wzLewnybn0jCZV/HiV5bJjUihjTcZkUyforJtFFVLxIqZ9k2a6d O80rfyCXEP3dLhiNPA3YTITCSMKexDKzq+LH3TKfolLDIw4VGOH3SXlN1fLv0V5FmYnRRW D/Ns4c9pTqTR+wZX4+Ey2ZB/fJ7wAFSwVxc21pyanNHXHsb0LZJf44QrtJQIK3dHCX3Bsv MdAW6gC57JhKQed8QbzrY/9oRMrVmOgVNQWroKAaen9Dt2Cm7fe0KS2Lva/1qiuI5VfM1D MYz3Z7Ha+y/P2/DUr+vp36wfRFS8fPD/d3ybv7qdzzU8j7JGPRiUyjatwhvq1A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634543280; a=rsa-sha256; cv=none; b=D+mZ0wORPuGjskxc9rl6aIyUj3NDhDYmkRi1I7JvDOrGLXu7MHf9OAXQkDjK/hXPJbkyqu uVJQnBUEPBQwcKcmXTd4SVd9gg3WAnxzCccpFXGBW4JOlO/e1Y5UZkWu0LDGMzmAvv8awe 03y/0Q0rhB7tutL6oe70TcbdGl4fQCA9mfg4n510fh++nc1+Nx8mXv64qNBka1FNWS2jPX lFra0FNbRMOdT2GK5BfmaG1xQdQDAQLei/EixXKm4ka1QpfhcJ5uMWLsnY+vgiRFZX4R3z R1ExvbYaCIXPnjWk3aae+WKuJJ4sAWv2JhenSXTorKMV9zKgCG59w+LLi94pjg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 661972AB8A X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: kgyWWMBwyahL Hello, Thiago Jung Bauermann skribis: > I=E2=80=99ve been thinking lately that Guix {sh,c}ould have a new =E2=80= =99release-signing- > keys=E2=80=99 field in the package record which would list the keys that = are known=20 > to sign official releases of the package. Then Guix would check the tarba= ll/ > git commit/git tag when downloading it. It would be an additional (and IM= HO=20 > important) source of truth. Yes, it=E2=80=99s been discussed a few times and I agree it=E2=80=99d be ni= ce. The difficulty here is that it=E2=80=99s =E2=80=9Csilent=E2=80=9D metadata:= it=E2=80=99s not used, or at least not necessarily used as part of the download process. But maybe that=E2=80=99s OK: we can have the download process check signatures when possible. Right now we rely on =E2=80=98guix refresh -u=E2=80=99 or contributors/revi= ewers do perform this check. > There are details that would need to be hashed out such as how to deal wi= th=20 > revoked keys or whether to store the keys themselves on the Guix repo or= =20 > anywhere else in Guix=E2=80=99s infrastructure, but I think it=E2=80=99s = possible to arrive=20 > at a reasonable solution. Perhaps a first step would be to download keys opportunistically. We have (guix openpgp) which can be used to verify signatures without taking revocation into account. Thanks, Ludo=E2=80=99.