From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-science-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id wLXlCIikwmKhTgAAbAwnHQ
	(envelope-from <guix-science-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 04 Jul 2022 10:27:52 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id qJqCCIikwmJRLwEAauVa8A
	(envelope-from <guix-science-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 04 Jul 2022 10:27:52 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 999F639232
	for <larch@yhetil.org>; Mon,  4 Jul 2022 10:27:51 +0200 (CEST)
Received: from localhost ([::1]:60784 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-science-bounces+larch=yhetil.org@gnu.org>)
	id 1o8HQs-00063l-4V
	for larch@yhetil.org; Mon, 04 Jul 2022 04:27:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59582)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1o8HQm-000626-B5; Mon, 04 Jul 2022 04:27:44 -0400
Received: from mail-wr1-x432.google.com ([2a00:1450:4864:20::432]:39708)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1o8HQk-0003ZE-7P; Mon, 04 Jul 2022 04:27:44 -0400
Received: by mail-wr1-x432.google.com with SMTP id f2so6961514wrr.6;
 Mon, 04 Jul 2022 01:27:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version; bh=alWoW2jfHASqgLTXFrzbghhr+2SYb3ANEnvsrIr4rrQ=;
 b=Sm81dkq4dSLVbT0CkwIlUGRfXU/t+hibK0ND+9F0VduFZc6JTo2A5qAKz6DnIxNYQp
 OY9Eqw+HJPVIc8E0R1Q0AuLXWKrYVCcecjzudtZWHtRBoR1a0WocjstxPCNjdhRvS2qW
 ShSpTZVtINjUYHHE/a66CSYUrvsShQMoDWQHZMfgPkE9K2cUwQ7K4nG5i+fG/nhum35p
 lLbfhE2nssW8JyGmHrElcBQTsRxu4J5iVNJ00x+yt44/IFY9wflMCGZiII0w3cn3NNeD
 HgRPrejxg8Cff2Rgsop6MZI75AWyjQFkWbMaWESCJC5wWPocK5i+4TCu98pQQLEG5O45
 qLog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date
 :message-id:mime-version;
 bh=alWoW2jfHASqgLTXFrzbghhr+2SYb3ANEnvsrIr4rrQ=;
 b=0LgQSO/YIRRTwIxDrdcwzlDVPE/N7bi6E7qk1sIta/+5qyWpHsY+/JufkWPQ4mhpOl
 Buu5HyiMy+jxTGgfB608ZfF4WIC29S8T9P3LeyxXNWRmra2hcvqF554Cb1Mlzf6PTJrZ
 M3cnPWhiyrEn5y6RAJZSn4E8IZ19CNmxj7pX44l+w+MIY3GvfIlRH3eUY/nccnr7bcUH
 xx2Kv247f34DvR55IQTx1pqazmWzJhxNfuySrxCntED1ump4s3cQGLsZ3MnWSA98SQIm
 FSob32Fmi9PdBOCq7rqKqNAuyPHuBmOfxwwfVzU4suL8QXvZIxkbJC1pONoC+hoLzsa3
 HziQ==
X-Gm-Message-State: AJIora9DpV8roNjmaBqTNCWi57/hXCCMs/mFihQx9ZdxJJEZBHvOabCj
 9koetA8gqGPS35Wx6wDwhLloel6lx/ejWQ==
X-Google-Smtp-Source: AGRyM1sEgwZUEugywqMv7qB2we2Xxs+EzAD6gBaQE0ZVHTOvz69APdoITujPF2A9FOAUKh23xR7oGw==
X-Received: by 2002:a05:6000:1882:b0:21d:1c8d:958f with SMTP id
 a2-20020a056000188200b0021d1c8d958fmr26480592wri.297.1656923260405; 
 Mon, 04 Jul 2022 01:27:40 -0700 (PDT)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id
 m9-20020a056000024900b0020c5253d907sm13334581wrz.83.2022.07.04.01.27.39
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 04 Jul 2022 01:27:39 -0700 (PDT)
From: zimoun <zimon.toutoune@gmail.com>
To: Bengt Richter <bokr@bokr.com>
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludovic.courtes@inria.fr>, guix-devel
 <guix-devel@gnu.org>, guix-science@gnu.org
Subject: Re: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain
 with =?utf-8?B?R05VwqBHdWl44oCd?=
In-Reply-To: <20220703103839.GA41557@LionPure>
References: <87zghu5jex.fsf@inria.fr> <20220630213735.GA9726@LionPure>
 <87h741nq6w.fsf@gmail.com> <20220703103839.GA41557@LionPure>
Date: Mon, 04 Jul 2022 10:21:13 +0200
Message-ID: <86ilod1e6e.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2a00:1450:4864:20::432;
 envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x432.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-science@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <guix-science.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-science>,
 <mailto:guix-science-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-science>
List-Post: <mailto:guix-science@gnu.org>
List-Help: <mailto:guix-science-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-science>,
 <mailto:guix-science-request@gnu.org?subject=subscribe>
Errors-To: guix-science-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-Science" <guix-science-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1656923271;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=alWoW2jfHASqgLTXFrzbghhr+2SYb3ANEnvsrIr4rrQ=;
	b=Tgg32MIkcSyeZn2Z8MQ58/7BmufOYVW/X8EmlQYwEG13CfkJGuDMoICQVkv+MDqLWB1sry
	/ViOPY+8UTNrnasNK9WTwwFvNfdrPHbgKY7cVKnQ99WeiiKYPnZKOne3y2SSRS2jTpdAzJ
	Fbm6gHCjbrZiLz/ecU3tTP4WhQzCuZo0dxICRlrG8GaDwWug/r5+g6fBDsNCjsuiJXzJDG
	8AY4CW09tU11pS/LISR37eeCX4lE5GIrNzj5EXjz0bnfkdf5Z8mmbzVjcmDOatRNPRA1/c
	U5w/Q3GWUQkHbvPFe8YMX1yeKStjs4Fh9YIEC8eJP1nR0MIQICRKZS8CsCarCg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656923271; a=rsa-sha256; cv=none;
	b=ft9s4BqUvd5+2whp5qyLrwPx1EyenIvFCiOdOB9aJo5z3BrCxin0R3V/TWT44i6lBpG+BV
	G33jp6aQ/eowxPhnGAQb8lmKNrzf/LrlDOYADldPtS6jXfEvDYFkYw5erLTPzRmcUOol5T
	IvFTZEGRxNWCGFhJUh+MMMIC/9Xl+CzHN3xwnmF7HIGx6uJPdjHnCYZHqPGAZRZFmSFUjJ
	T7sCKlF5kOjLY6T1YeEfwhk7BTMqZwtBg73cxK3JLHKoN3dL6+jKqzY232GmURsPZw98Kc
	2wGYD6WsSZelBOeBnt17XMkkVYoPj9e6VRKggnwvligc/SdtmtZA45k+XvcahQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=Sm81dkq4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -2.44
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=Sm81dkq4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 999F639232
X-Spam-Score: -2.44
X-Migadu-Scanner: scn1.migadu.com
X-TUID: p8rPfhzVM5Fb

Hi,

On Sun, 03 Jul 2022 at 12:38, Bengt Richter <bokr@bokr.com> wrote:
>> I do not think committers are pushing code about #1, #2 or #3 that they
>> know beforehand it will cause a problem.
>
> Hm, -- unless <context-requirements-not-met> ... ? :)
>

I do not understand what you mean?

>> The GPG trust level works because it is based on the web of trust.
>> Here, there is no web, IMHO.
>
> Well, guix developers who know each other well "in real life" have a pretty
> good web, if not formal, no? :)

Maybe I miss something.  IIUC, you are proposing to attach a level of
trust to each commit.

If this level for one commit is set by one committer, then the outcome
is poor because this level strongly depends on the committer.  Committer
A could say 0 and committer B would say 3 for the same commit, other
said the level depends on who do the job; therefore it is too dependent
on the committer mood to be useful, security-wise.  In this case, there
is no web of trust.

If this level for one commit is set by more than one committer, then it
is not affordable because it means we are doing double (or more) review
when the project is trying to just deal with merging all the
submissions.  In this case, there is a web of trust.  But it is not
doable considering the rate of commits.


> I'm just looking for some greppable coded hint of the difference between
> a package that consists of e.g. a reverse polish calculator homework
> assignemnt that a nerdy friend showed how to submit as a package, vs.
> e.g. a package where the comments say over 10K subscribers have now been
> running this hundreds of times daily for 2 months of beta testing with
> no reported problems. Vs. This is alpha stuff, but seems harmless enough
> if you run it in a container.

Run OpenBSD. ;-)


> I'm not asking any guarantees, just a professional's quick judgement.
> Like a chef's quick opinion on the cantaloupes at the open market. 

Why this professional's quick judgment should come from the package
manager (packager, reviewer, committer) and not from a community around
the specific software whatever how it is distributed?


Cheers,
simon