From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [GSoC] Supporting binary package distribution through GNUnet
Date: Wed, 25 Mar 2015 21:56:17 +0100
Message-ID: <87mw30hk3y.fsf@gnu.org>
References: <87sicukybm.fsf@free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49794)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1YasLj-0002FY-US
	for guix-devel@gnu.org; Wed, 25 Mar 2015 16:56:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1YasLg-0004bP-Lz
	for guix-devel@gnu.org; Wed, 25 Mar 2015 16:56:27 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38272)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1YasLg-0004bL-In
	for guix-devel@gnu.org; Wed, 25 Mar 2015 16:56:24 -0400
In-Reply-To: <87sicukybm.fsf@free.fr> (=?utf-8?Q?=22R=C3=A9mi?=
	Birot-Delrue"'s message of "Tue, 24 Mar 2015 20:08:45 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: =?utf-8?Q?R=C3=A9mi?= Birot-Delrue <asgeir@free.fr>
Cc: Guix-devel <guix-devel@gnu.org>

Hi!

R=C3=A9mi Birot-Delrue <asgeir@free.fr> skribis:

> Ideally, would anyone be allowed to provide substitutes? Or would there
> be a set of =E2=80=9Ctrusted substitute maintainers=E2=80=9D (possibly on=
e maintainer by
> package)? Maybe a mix. Maybe =E2=80=9Canswering this question=E2=80=9D is=
 part of the
> project?

IMO the basic trust model wouldn=E2=80=99t be much different from what we h=
ave
today (see
<https://www.gnu.org/software/guix/manual/guix.html#Substitutes>.)

That is, users would explicitly authorize certain providers by adding
their public key to their access control list (ACL.)

Now, many/most package builds are reproducible and should be
bit-identical.  So in practice, most of the time, a given build will be
actually be signed by several providers.

> Another point is: how would Guix handle these different sources? Should
> it propose the end-user a choice, or include a way to automatically
> choose in most cases?

To begin with, the ACL is enough.

> The prospect of having a (semi-)decentralised and Lisp-based
> package-manager is really appealing.

Glad you like it.  :-)

If you haven=E2=80=99t already, please have a look at the discussion with
Christian Grothoff on this list a few weeks ago for additional
thoughts.

I would also recommend that you get in touch with gnunet-developers or
#gnunet so they can tell you which GNUnet APIs to look at and provide
additional insight.  It would be nice if you could start playing with
GNUnet and Guix to become more familiar with them.

Also note that the deadline for student proposals is this Friday, so
make sure to post yours on Melange when you=E2=80=99re ready.

Thanks,
Ludo=E2=80=99.