From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id APSTO+a41mIwKQAAbAwnHQ (envelope-from ) for ; Tue, 19 Jul 2022 16:00:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 6AqCOua41mIkGQAAG6o9tA (envelope-from ) for ; Tue, 19 Jul 2022 16:00:06 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AF9C73D07A for ; Tue, 19 Jul 2022 16:00:06 +0200 (CEST) Received: from localhost ([::1]:51472 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oDnld-0004AY-Fw for larch@yhetil.org; Tue, 19 Jul 2022 10:00:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48874) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oDnex-0007pn-Ki for guix-devel@gnu.org; Tue, 19 Jul 2022 09:53:11 -0400 Received: from michel.telenet-ops.be ([2a02:1800:110:4::f00:18]:49348) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oDnev-00036K-9E for guix-devel@gnu.org; Tue, 19 Jul 2022 09:53:11 -0400 Received: from ptr-bvsjgyig5nh0salm0pi.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16]) by michel.telenet-ops.be with bizsmtp id x1t32700C20ykKC061t4JJ; Tue, 19 Jul 2022 15:53:04 +0200 Message-ID: <5d62345dd217d2f262b27c68f8a445bf4f959040.camel@telenet.be> Subject: Re: =?UTF-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with =?UTF-8?Q?GNU=C2=A0Guix=E2=80=9D?= From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= , Zhu Zihao Cc: guix-science@gnu.org, guix-devel@gnu.org Date: Tue, 19 Jul 2022 15:53:03 +0200 In-Reply-To: <87k08a4xmy.fsf@inria.fr> References: <87zghu5jex.fsf@inria.fr> <86fsj0nnxy.fsf@163.com> <87k08a4xmy.fsf@inria.fr> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1658238784; bh=KKjmVULGKWpSdArFwjM1HYcq4LUDA7UuOSi+Kl5zvSo=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=VXHNxFTKKzcR9j2iDRsDpwU56w4/J74l+pYsxFF22o6/qpfdbLAXDAWP3coz3EjHD +cEvfwgxMEqzcFTAAFWzzq2yggzFx7DXjqVjUYpPyWRA8kGvMmIEdE7T/eehDibTgL TTnmdAele00Q3cBR+g2A/oX6ZqGWYHyDYeiL0fnoSVOoz5a5HJZK8iVvAVtE8z+oHZ x+JXrgI6H58BNoGKxWZomwkIJnlgeqdTiAoFd5gWwyYvxGbqhi71XnRZSvtFGhpDPd P+YUJ5AOofgKWNAfwwxuFNxRqMYzqiVKX4ao0go5QRLTxPwpjf82tducrwtVR1yqY3 6Z35jAxxn3SXA== Received-SPF: pass client-ip=2a02:1800:110:4::f00:18; envelope-from=maximedevos@telenet.be; helo=michel.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1658239206; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=KKjmVULGKWpSdArFwjM1HYcq4LUDA7UuOSi+Kl5zvSo=; b=P3qjFP28zn/x94QeNKKuHWu6Qt5ueTQRirMdKrHC3ZuijfQKaEkLR0fZWIAROn0H5WXZ3a gwiYCMCKn492xWdDzKwG4uwAlieeFXBoZTOzf20zuv1PgUHkBHJ9+ywfyOuhiomRNkjYB9 upEy36f+1nMzzDF7i6GdZP+2PMmJ66vNg/ED2DEMP0hdKw/d7sA6aVmh3TP9jAXggwEUYL ykkgcww8bPHA/jUrSW2/H3aHYw1mXobT76EJMgHWsBNK8Jzi8jWn6CcR0uDp+SRCcSY4aX snw7a+jLVaMSuz+hBTWr0/mESvI0WecWebo8w4HsTCixoo0uqHXE7ky+eBueMQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1658239206; a=rsa-sha256; cv=none; b=naYQ1H4QI9ILts5Hko0bFGczY8azE/PyaNvobCXcOZXSfoSgq+nb8xIRvMUnaVVLWbrDlW JsNv0A3mSMQaKYxmGEd+Aqlex3TUsFPhT/rJEnmcqhzmUy5Iz1jRMtkSS6jP618rSXgZL7 0VsRQASPG4HlvXcDdJy9qA+I3vbgK6u3VnJgC7OgOseGx5nkt124spMNaE4UHKkMSXbOtW zBMIgDMH0ywQPGEfbRch64IoE6ehxKRwdDDeCO7pmuf678EkWMRT1GnxUrH8EBrHTOmXlt FpJlOVi1bEx14IZVqZMvEgEpV70EZM7CAEIMEdr4o2oaTqEscK1EYyAaCZFYxA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r22 header.b=VXHNxFTK; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.03 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r22 header.b=VXHNxFTK; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: AF9C73D07A X-Spam-Score: -4.03 X-Migadu-Scanner: scn1.migadu.com X-TUID: 2jYD2AfKrimP Ludovic Courtès schreef op ma 18-07-2022 om 10:45 [+0200]: > The model here is that users trust authorized committers.  When you > think about it, there’s no way around it, because at the end of the > day, you’re installing software that an authorized committer added to > the channel. FWIW, something I haven't seen mentioned yet is that the trust problem could be reduced by some kind of multisig system, where multiple independent persons would need to sign the commit for it to be accepted, though that might be technically hard to implement and probably be too people-time-expensive currently. Greetings, Maxime.