Hello Guix!

I’m happy to announce the publication of a refereed paper in the
Programming journal:

  https://doi.org/10.22152/programming-journal.org/2023/7/1

It talks about the “secure update” mechanism used for channels and how
it fits together with functional deployment, reproducible builds, and
bootstrapping.  Comments from reviewers showed that explaining the whole
context was important to allow people not familiar with Guix or Nix to
understand why The Update Framework (TUF) isn’t a good match, why
Git{Hub,Lab} “verified” badges aren’t any good, and so on.

What’s presented there is not new if you’ve been following along, but
hopefully it puts things in perspective for outsiders.

I also think that one battle here is to insist on verifiability when a
lot of work about supply chain security goes into “attestation” (with
in-toto, sigstore, Google’s SLSA, and the likes.)

Enjoy!

Ludo’.