From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 8DXIJYavvWKvAgEAbAwnHQ (envelope-from ) for ; Thu, 30 Jun 2022 16:13:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id GAeyJIavvWJQdgEAG6o9tA (envelope-from ) for ; Thu, 30 Jun 2022 16:13:26 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 644B8241AF for ; Thu, 30 Jun 2022 16:13:26 +0200 (CEST) Received: from localhost ([::1]:36014 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o6uv6-0004rf-Vf for larch@yhetil.org; Thu, 30 Jun 2022 10:13:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60920) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o6uv0-0004nJ-0A; Thu, 30 Jun 2022 10:13:18 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:2259) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o6uuw-0003zN-0Y; Thu, 30 Jun 2022 10:13:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version; bh=9r6pJnpl/7ZWWsLr88oBPJDIJwd0eZuozlivgeq06F4=; b=Qwf+6LDBxhoQ1YMP0kLWWw+vuGpr94vSoxse1qAW6RCZXKlss3andMxG w0l4DGniWH7ByjZHgDF7GgAo5NfjKV/klJfn8+VvChxgrzLhYe2lKN4HZ s9ceYywHbzEDOi+mlMAV6lwGR+3radKklrb/I9DSnKTRxg/doz91KaVUU Q=; X-IronPort-AV: E=Sophos;i="5.92,234,1650924000"; d="asc'?scan'208";a="43639458" Received: from unknown (HELO ribbon) ([193.50.110.235]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2022 16:13:10 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: guix-devel , guix-science@gnu.org Subject: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with =?utf-8?B?R05VwqBHdWl44oCd?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 12 Messidor an 230 de la =?utf-8?Q?R=C3=A9volu?= =?utf-8?Q?tion=2C?= jour de l'Artichaut X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 30 Jun 2022 16:13:10 +0200 Message-ID: <87zghu5jex.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-science@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-science-bounces+larch=yhetil.org@gnu.org Sender: "Guix-Science" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656598406; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9r6pJnpl/7ZWWsLr88oBPJDIJwd0eZuozlivgeq06F4=; b=WPrffNolM4DkZRp1Md/m/Zg5p5jJ02zB+KC5lCKLJ9tpmqEltSd2F6xwVi6J5AfJiyc41j 6KWKsoxXc5NeSKQUl9zdhmGpnpPhDydZ4ZZf3oxTl63+qEiDdI2FY2U0wNY0tB7m6Ki7KQ 9HGERILdJN6l+uaT1wlA3fxS6e1fe6nlRWWxcIHTCH/Y8XpAq9oKjm3vwi4HVG4471h8to 3FvSy2sdasmjjcH6feuddaNAyX4rxIylyCeoPUVCc2vuu1+VbPIJ3jaaZLCWyDiYwBUWgC /lqM9DvfbzlrMd9dHaNZbwxa6dn+1mZdMqykXXnp/DZP2UY6S3oPxyUaolPJmg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656598406; a=rsa-sha256; cv=none; b=CZtYjcpfAXhG7ppSWFaFvyMoSurwivO4KFQxa7BRKRBZDqxrCiiGbUT1g7GSSBUSXcMkd2 yC0DEXUTkW3Xg8zfGWKQnhJlIEX22BxjSBGy4VrtDLkjuA/U4jEJqoTneqH7tcMCE4//xk sELAqDkIvTc5GUeCopSl75mUfQTD/efQ7LCmI1ozYfnSJ1xlTK2vNI9CibE5quYZus3gPs KC8EMK4r5uMiv1elL6uvNPdtaF+AFaC5mJx9p8M7QdW9cXA0VeH6dVkt0SDTu8x3LePT2D Oa2XH42/Cnj4abl9avEoKuh1QByRuWKAX7V3uigBzcobyxy+czPuWIADvgrUrw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=inria.fr header.s=dc header.b=Qwf+6LDB; dmarc=pass (policy=none) header.from=inria.fr; spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -5.75 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=inria.fr header.s=dc header.b=Qwf+6LDB; dmarc=pass (policy=none) header.from=inria.fr; spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 644B8241AF X-Spam-Score: -5.75 X-Migadu-Scanner: scn0.migadu.com X-TUID: W9modYm1uyuw --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix! I=E2=80=99m happy to announce the publication of a refereed paper in the Programming journal: https://doi.org/10.22152/programming-journal.org/2023/7/1 It talks about the =E2=80=9Csecure update=E2=80=9D mechanism used for chann= els and how it fits together with functional deployment, reproducible builds, and bootstrapping. Comments from reviewers showed that explaining the whole context was important to allow people not familiar with Guix or Nix to understand why The Update Framework (TUF) isn=E2=80=99t a good match, why Git{Hub,Lab} =E2=80=9Cverified=E2=80=9D badges aren=E2=80=99t any good, and= so on. What=E2=80=99s presented there is not new if you=E2=80=99ve been following = along, but hopefully it puts things in perspective for outsiders. I also think that one battle here is to insist on verifiability when a lot of work about supply chain security goes into =E2=80=9Cattestation=E2= =80=9D (with in-toto, sigstore, Google=E2=80=99s SLSA, and the likes.) Enjoy! Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEPORkVYqE/cadtAz7CQsRmT2a67UFAmK9r3YZHGx1ZG92aWMu Y291cnRlc0BpbnJpYS5mcgAKCRAJCxGZPZrrtXE5D/9U0vqrWHc8epO+U7A6HyVw 3B27IlBaP5yuACs7XE/mjjZ4zM8qTkEnq9o/tMNb1TI6DoHisK0YfEnfMyBVE2Fc YFitlk1nrmFDw7GMHDNkfalDQPIYXlrObPTOEpIIi7dMVzmYbRy825JVyT/Z+T3y rluRMM00X+ZIMATcoIITdH4dxkJnPqYIsrOdpU4GznGtU+vX3wnPYWRLo7Th8csa D8L82bwEh3WBQH1tb+6o8K7GbE4N+p/WphdpVKFlOGHZ3/L0p8WqXTY+DGIGlnvT R5t/KoyPaxpRpcm1ckWGeJ7/1T5eOxtFI6SciuIpVtJrCdu4xvknbhe6Z6cymzGA P5BPA4gf7ATNiTCPvJw0wMgLSEQ2+JxMMGREb4uFc5cCSBd211cEWfypQMk6Cr4y idl12/2ll2Wa4KyAWpgabhygTzY+jhMgNGxS0oBTs/Gj4Pxn4YVwE/DsPLaYrevc paye4ArCFlevV5QBZ2dq5u/q0mr4HJ+JT7aCwRVQtEwWytS7ubItuaH8jDs9l5YY CliWZjdOAYodAOay2q43Mv3F8WJKBAIGCv6MZJ/0x34+Hu9QQ8oP9/Bk4Xw2ZSzC O9bOrdw7g/z8vgjSAYsaPnF409DneZb138OBYh+g/uoYNeCz9FnhViUFwWJuOUzY fjnbfqmi/zIF8wFukI8zXg== =Xy4M -----END PGP SIGNATURE----- --=-=-=--