Re: Public guix offload server

[Tobias Geerinckx-Rice <me@tobias.gr>]

[-- Attachment #1: Type: text/plain, Size: 2260 bytes --]

All,

zimoun 写道：
>>> Do you mean that trusted users would try WM-escape exploits?
>> The world has been formed by warewolves inside communities 
>> purposely
>> causing harm. Looking further back, Oliver the Spy is a classic
>> examplar of trust networks being hollowed out.

So…

> I cannot assume that on one hand one trusted person pushes to 
> the main
> Git repo in good faith and on other hand this very same trusted 
> person
> behaves as a warewolves using a shared resource.

…li'l' sleepy here, bewarned, but before this gets out of hand: I 
never implied direct abuse of trust by committers.  I don't 
consider it the main threat[0].

There are the people you meet at FOSDEM and the users who log into 
machines.  Both can be compromised, but the latter are much easier 
and more likely to be.

Such compromise is not laughable or hypothetical: it happens 
*constantly*.  It's how kernel.org was utterly owned[1].

Trusting people not to be evil is not the same as having to trust 
the opsec habits of every single one of them.  Trust isn't 
transitive.  Personally, I don't think a rogue zimoun will 
suddenly decide to abuse us.  I think rogues will abuse zimoun the 
very first chance they get.

That's not a matter of degree: it's a whole different threat 
model, as is injecting arbitrary binaries vs. pushing malicious 
code commits.  Both are bad news, but there's an order of 
magnitude difference between the two.

> For sure, one can always abuse the trust.  Based on this 
> principle, we
> could stop any collaborative work right now.  The real question 
> is the
> evaluation of the risk of such abuse by trusted people after 
> long period
> of collaboration (that’s what committer usually means).

Isn't that the kind of hands-up-in-the-air why-bother 
nothing's-perfect fatalism I thought your Python quote (thanks!) 
was trying to warn me about?  ;-)

Zzz,

T G-R

[0]: That's probably no more than an optimistic human flaw on my 
part and ‘disgruntled ex-whatevers’ are probably more of a threat 
that most orgs dare to admit.

[1]: I know, ancient history, but I'm working from memory here. 
I'm sure it would be trivial to find a more topical example.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]