From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: Signed archives (preliminary patch)
Date: Fri, 28 Feb 2014 11:37:13 +0100 [thread overview]
Message-ID: <87mwhb5xra.fsf@gnu.org> (raw)
In-Reply-To: <87txbjoan3.fsf@yeeloong.lan> (Mark H. Weaver's message of "Fri, 28 Feb 2014 04:21:36 -0500")
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> The difficulty here will be to compute the hash up to the Signature
>> field. To do that, ‘read-narinfo’ should probably:
>>
>> 1. read everything from PORT with ‘get-string-all’ in a string (make
>> sure PORT’s encoding is UTF-8);
>>
>> 2. isolate the lines before the ^[[:blank:]]*Signature[[:blank:]]:
>> line;
>>
>> 3. compute the hash of those lines;
>>
>> 4. do (fields->alist (open-input-string the-whole-string));
>>
>> 5. pass the hash to the signature verification procedure.
>>
>> Does that make sense?
>
> Apologies in advance if I'm failing to understand, but I'm concerned
> about bundling a single principal signature into the narinfo file.
> Not only does it cause the complications discussed above, but more
> importantly, it seems to introduce an architectural bias toward an
> authentication scheme where everyone is encouraged to place their
> trust in a single centralized build system.
Well, narinfos are a protocol for Hydra, which is a centralized build
system.
Nevertheless, the signatures we use are canonical sexps, so we could
really put anything in there. Currently it’s a single “signature sexp”
(which includes a public key) though; it could be that of the
hydra.gnu.org front-end, or that of a build slave, eventually.
> How do you envision the transition from this single-signature
> architecture to one where other users and/or independent build farms
> can add their signatures to hydra? Will those signatures be treated
> differently than the signatures created by hydra.gnu.org? Will they
> be stored and sent to users using a different mechanism?
Honestly I don’t know yet. Partly because it’s unclear to me that
modifying Hydra to support such things is the right thing to do.
For the kind of operation you mention, I’d rather have some sort of
distributed store, where people can publish binaries they have produced.
Then users could look up specific store file names in there, check where
they originate from–i.e., who signed them–, compare their hash, etc.
This is pretty much related to the GNUnet software update idea.
Alternately, we could write a Guile web server that publishes a user’s
store using Hydra’s protocols, and from there gradually adjust
substitute-binary to intelligently handle multiple servers. (That would
even make a good GSoC project, no?)
Thanks,
Ludo’.
next prev parent reply other threads:[~2014-02-28 10:37 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 14:13 ‘guix archive’ doesn’t work over ‘./pre-inst-env’ Nikita Karetnikov
2014-01-26 14:52 ` Ludovic Courtès
2014-01-26 16:09 ` Signed archives (was: ‘guix archive’ doesn’t work over ‘./pre-inst-env’) Nikita Karetnikov
2014-01-26 19:36 ` Signed archives Ludovic Courtès
2014-01-27 15:36 ` Nikita Karetnikov
2014-01-27 15:56 ` Ludovic Courtès
2014-02-03 10:45 ` Nikita Karetnikov
2014-02-04 13:12 ` Ludovic Courtès
2014-02-20 9:54 ` Nikita Karetnikov
2014-02-21 21:17 ` Ludovic Courtès
2014-02-27 20:48 ` Signed archives (preliminary patch) Nikita Karetnikov
2014-02-27 22:43 ` Ludovic Courtès
2014-02-28 9:21 ` Mark H Weaver
2014-02-28 10:37 ` Ludovic Courtès [this message]
2014-02-28 18:46 ` Nikita Karetnikov
2014-02-28 21:22 ` Nikita Karetnikov
2014-02-28 22:05 ` Ludovic Courtès
2014-03-03 22:54 ` Nikita Karetnikov
2014-03-04 21:59 ` Ludovic Courtès
2014-03-08 22:38 ` Nikita Karetnikov
2014-03-08 22:46 ` Nikita Karetnikov
2014-03-09 17:22 ` Ludovic Courtès
2014-03-09 22:35 ` Ludovic Courtès
2014-03-11 9:51 ` Nikita Karetnikov
2014-03-12 11:57 ` Nikita Karetnikov
2014-03-12 14:25 ` Ludovic Courtès
2014-03-12 23:37 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file. (was: Signed archives (preliminary patch)) Nikita Karetnikov
2014-03-13 21:38 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file Ludovic Courtès
2014-03-13 21:55 ` Nikita Karetnikov
2014-03-13 22:53 ` Ludovic Courtès
2014-03-15 12:24 ` Nikita Karetnikov
2014-03-31 21:54 ` Signed archives (preliminary patch) Ludovic Courtès
2014-02-21 22:10 ` Applying the GPG web-of-trust to Guix (was Re: Signed archives) Mark H Weaver
2014-02-21 23:10 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mwhb5xra.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).