Hello Guix!

It was a great, productive, week and I would really like to thank
everyone that made this possible.

Now some things I want to add:

* Signatures challenges

  We had a session on how each project signs the binaries it
distributes and ways to achieve build system compromise detection. Georg
from the Tor project told us about this paper
<https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf> which
describes how we can secure a system against such attacks.

I discussed with Ludovic the need to have an automated system that will
continuously verify the binary outputs from multiple build sources so we
can find any possible malicious compromises.
But in order to do that we need to increase our build servers and/or
implement the peer to peer binary distribution (Remi?). More machines -
more builds to compare.

The above will also help in testing Guix reproducibility. Finally I will
help Holger install Guix on the ProfitBricks-sponsored machines.

* Authenticating code from a Git repo

  Here I agree with Ludovic that we should find a way to do something
similar with Qubes, so we can at least be able to pinpoint a future
compromise if it happens.

That's what I wanted to add for now.

This was a great week, I learned a lot of new things from a great bunch
of smart and friendly people and I believe we should get a lot more
involved in this initiative.

Manolis.