From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id CAsHJ9hpymYpZwAAe85BDQ:P1 (envelope-from ) for ; Sat, 24 Aug 2024 23:16:40 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id CAsHJ9hpymYpZwAAe85BDQ (envelope-from ) for ; Sun, 25 Aug 2024 01:16:40 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=terracrypt.net header.s=fm2 header.b="A 6tCYdn"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=cZSxRAsp; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1724541400; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=lRvMqpBsOhMvII836mM2V54kuMXLxIpDZDBOknSEv+8=; b=WWQwve1uYL1IcTKkcOVwq9iz3Fi0YmHUd/64SSlFdEukY8I7KZEM7fkmiQxCOR7UI7Ytd7 FEtJdVAQM85sVBHxBW4ol5XbsFzeDiBPGLqlTUDItJ1eC6p1uCgwVcU6USIdOJE1kzOE9b OzMckcTx2S+vBXlReqdqdVzdn2Cl91ivlRAzzfg5K3be7GwZuBxa2ihkXB06R1VSedlHBU dP74W2zSecvscfv9PErNWwUmI7tv357IQUKlcBCdydu5e5w9d53hu1kbKS4wvTkIM+2sM8 WBdZh2M3X3Xlif61D7Wtc5Zmp9ulIdm99KnLY8/HxiLZzDTFV31rjo/s6MLJ6A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1724541400; a=rsa-sha256; cv=none; b=lO/1+KxuZ3FeoQLXkj0354of/BaJCCor9NFi8E7U0bl2KW9DgYYwv4u4dfgwAVZCjSrcKO 1uy/H9jhdCmFsw7Etl8nq+PLUoFxMoAtyRrCst2Xq3GNF11xAmuQJrVkzvhrC3By8pTRxC DT6fAxFXvR/X+Bp5xAbGWGIhH9N7OdjtrCTvO02ulXgEmOGIuKSf2ufHvwJ+M0m+ILmQds 3Vti+zUm2180N9LZVqqOA/yWZ//p1UJhGqzGgn5sH1Yv31g7JKTAuRPXiSUld1jPlqAZu9 xTDoCJDOj+leQALskYaTj3hZOwVfGSkRF6oWBzoDC0ytW2jpZVASwvcoyNIAdA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=terracrypt.net header.s=fm2 header.b="A 6tCYdn"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=cZSxRAsp; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BF48DA3A5 for ; Sun, 25 Aug 2024 01:16:39 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1shzzD-0008UZ-MB; Sat, 24 Aug 2024 19:15:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1shzz8-0008Tr-PU; Sat, 24 Aug 2024 19:15:55 -0400 Received: from fout7-smtp.messagingengine.com ([103.168.172.150]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1shzz5-0006ZS-K6; Sat, 24 Aug 2024 19:15:54 -0400 Received: from phl-compute-08.internal (phl-compute-08.nyi.internal [10.202.2.48]) by mailfout.nyi.internal (Postfix) with ESMTP id 24792139049F; Sat, 24 Aug 2024 19:15:47 -0400 (EDT) Received: from phl-imap-02 ([10.202.2.81]) by phl-compute-08.internal (MEProxy); Sat, 24 Aug 2024 19:15:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=terracrypt.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1724541347; x= 1724627747; bh=lRvMqpBsOhMvII836mM2V54kuMXLxIpDZDBOknSEv+8=; b=A 6tCYdn/mzshknSWPjCN0UJcT+jWX3QrVVr1NhkQQ1owvzCMW9cilbKENGyLPJskF 9BREFiI3/9/JFWNP7vBnJiPejUoJnEN4CCtJCRJqdccmo96Mwt28iRQFfW/N2C9H SqirFizsluA9nCp9ezjHCmohMNMuOHSeRXm+QBc71Hx9spevZfa4nCeTeJaYf4dS qOvYu//B9TLLDJVp4oqwC/4ADLlRncPKyelJtD1387R0SoQn3N9waZ8Lg5VHfUWs N1xuSqWoVcooK3IjDToXI/iwUhoXtgCkql5yCLLS9lok6hWH54nXrXtowXAVgdqH 3V3lXVJSgHu68nyzU58Pg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1724541347; x=1724627747; bh=lRvMqpBsOhMvII836mM2V54kuMXL xIpDZDBOknSEv+8=; b=cZSxRAspvtAk91aTQVo2I1SlxxjmR/4QCu5wQ9ua3vl0 0WPx3aL5AmiOvyxRd801J7WCO6rsiZa4AF4Hg2vc1Al0pxJFMRvUGbCV+aaR83Ii MzdKG0y/tmb8NctDOskbzCvnqoIack7DPbX4d7SA9d9cBUohianqiJe0/hQWcTJK COVFvwvdbjLqRtWNxI4b0u93QpCLW7DuHUiYDW3bgB3l2hYIFwNgQ4IDxkN7XqmL +ansxDPTVFk0ztb2XDeVjxxnINdGzWa9LQPgwG0Dyb2JuMLUfLZbNfw0qTcptMAT VITfodXkUWG7QM9rzRWlPz8Nlu2+/VQ7zskqmsT0BA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddruddvhedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgesrgdtreerredttden ucfhrhhomhepfdflohhnrghthhgrnhcuhfhrvgguvghrihgtkhhsohhnfdcuoehjohhnrg hthhgrnhesthgvrhhrrggtrhihphhtrdhnvghtqeenucggtffrrghtthgvrhhnpeeuleev jeeltdfgjedtjeevleefjeduuddutdevleffhefhffduvdfhgffhuefgheenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehjohhnrghthhgrnhes thgvrhhrrggtrhihphhtrdhnvghtpdhnsggprhgtphhtthhopeeipdhmohguvgepshhmth hpohhuthdprhgtphhtthhopehguhhigidquggvvhgvlhesghhnuhdrohhrghdprhgtphht thhopehguhhigidqshihshgrughmihhnsehgnhhurdhorhhgpdhrtghpthhtoheplhhuug hosehgnhhurdhorhhgpdhrtghpthhtohepfhgvlhhigidrlhgvtghhnhgvrheslhgvrghs vgdquhhprdgtohhmpdhrtghpthhtohepmhgrrhgvkhesmhgrrhgvkhhprghsnhhikhhofi hskhhirdhplhdprhgtphhtthhopehsvghrghhiohdrphgrshhtohhrphgvrhgviiesohhu thhlohhokhdrvghs X-ME-Proxy: Feedback-ID: if4194509:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3FD78B00066; Sat, 24 Aug 2024 19:15:46 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Sat, 24 Aug 2024 19:15:26 -0400 From: "Jonathan Frederickson" To: "Felix Lechner" , =?UTF-8?Q?Sergio_Pastor_P=C3=A9rez?= , =?UTF-8?Q?Marek_Pa=C5=9Bnikowski?= , =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel@gnu.org, guix-sysadmin Message-Id: In-Reply-To: <87o75vb5p9.fsf@lease-up.com> References: <87sewr98jd.fsf@gnu.org> <87sevnhp02.fsf@marekpasnikowski.pl> <3ad5baad-2ab6-4fa4-8788-717f827ccf86@app.fastmail.com> <87o75vb5p9.fsf@lease-up.com> Subject: Re: Sustainable funding and maintenance for our infrastructure Content-Type: multipart/alternative; boundary=b641465525184968b690ad78090e2df1 Received-SPF: pass client-ip=103.168.172.150; envelope-from=jonathan@terracrypt.net; helo=fout7-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.54 X-Spam-Score: -6.54 X-Migadu-Queue-Id: BF48DA3A5 X-Migadu-Scanner: mx11.migadu.com X-TUID: 34KSSB734YzY --b641465525184968b690ad78090e2df1 Content-Type: text/plain Content-Transfer-Encoding: 7bit On Wed, Aug 14, 2024, at 9:21 AM, Felix Lechner wrote: > The serving someone else's substitutes could also arise more innocently, > for example via a technical misconfiguration or because of an incentive > system that rewards the contribution of substitutes. Yes, indeed. And you may very well want such an incentive system, because having many people distribute substitutes in a P2P system is a natural way for people to contribute their own bandwidth. > Is it possible for someone to reliably attest that they individually > built a reproducible work product? I believe the needed variation in > inputs, like a hash, is incompatible with the goal of reproducability. I think it's possible if the signature is detached from the reproducible work product to be signed. For example, it's like the difference between an embedded and detached signature of a file signed by GPG. Distributing a detached signature alongside a file doesn't change the hash of the file that's been signed. Of course, you may not have built the build inputs yourself either - but those can be authenticated separately. (Recursion!) --b641465525184968b690ad78090e2df1 Content-Type: text/html Content-Transfer-Encoding: quoted-printable
On Wed, Aug 14,= 2024, at 9:21 AM, Felix Lechner wrote:
The serving someone else's substitutes coul= d also arise more innocently,
for example via a technical = misconfiguration or because of an incentive
system that re= wards the contribution of substitutes.

Yes, indeed. And you may very well want such an incentive syste= m, because having many people distribute substitutes in a P2P system is = a natural way for people to contribute their own bandwidth.

Is it po= ssible for someone to reliably attest that they individually
built a reproducible work product?  I believe the needed variati= on in
inputs, like a hash, is incompatible with the goal o= f reproducability.

I think it'= s possible if the signature is detached from the reproducible work produ= ct to be signed. For example, it's like the difference between an embedd= ed and detached signature of a file signed by GPG. Distributing a detach= ed signature alongside a file doesn't change the hash of the file that's= been signed.

Of course, you may not have b= uilt the build inputs yourself either - but those can be authenticated s= eparately. (Recursion!)
--b641465525184968b690ad78090e2df1--