zimoun writes: > Your question is: how can Alice be sure that she runs the same > binaries on aneto and balaitou? other said how can she detect baloitou > has been compromised? > Is it your use-case? Yes, you got it right! :) > If yes, Alice can : > > 1. check the integrity on the balaitou machine by running "guix gc --verify" I'm not sure this works because if `guix' itself is compromised, `guix gc --verify' becomes irrelevant. Or is there another way? > 2. publish the store of aneto with "guix publish" And then install packages from balaitou? But if Balaitou's "guix" is compromised, it does not matter that the substitute server is trusted. Or did you mean something else? > 3. challenge the store of balaitou against the store of aneto with > "guix challenge" This seems like a good option. In particular, this should verify "guix" itself, and thus everything else. So I'd reverse your point. By first challenging Balaitou, we can trust the guix executable and from there we can run 1. and 2. Thoughts? -- Pierre Neidhardt https://ambrevar.xyz/