From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id KOtrNRidcWHL+AAAgWs5BA (envelope-from ) for ; Thu, 21 Oct 2021 19:02:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id wNcTMRidcWHqPAAAB5/wlQ (envelope-from ) for ; Thu, 21 Oct 2021 17:02:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 478BE19484 for ; Thu, 21 Oct 2021 19:02:16 +0200 (CEST) Received: from localhost ([::1]:38564 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdbSJ-0001fW-De for larch@yhetil.org; Thu, 21 Oct 2021 13:02:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55774) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdbRo-0001e5-Ip for guix-devel@gnu.org; Thu, 21 Oct 2021 13:01:44 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:33006) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdbRl-0005li-01 for guix-devel@gnu.org; Thu, 21 Oct 2021 13:01:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=okuiXyagQEXxN BqWBO101RTvMljWFyASx0PTwe82OVs=; h=in-reply-to:date:subject:cc:to: from:references; d=tobias.gr; b=Y4S0LkTM3f1X35zHNLbVQqMvWgYf6hjE+5N6+g t708avr0mT2kENlvityKKCBTFM1hrUN2XMvr1VvEj6PyzKo0fiSnXT215lvBq5sUgnXFoi tKAIlvm46+tFwFmwj28ivY33UhXzBB96jCzrFpHdskCccRCfnl32aZamNLXm6ACdB/eWgV lflc6T2MH3FXXSKPEs4ipi/OnltJmdJOF32RPrpRFJcBYrbHXZmCFzEfyLXCf9iFswRpTy Q4mNcic8c5fmzdGWH1QxhqtphM/iW6egayJx/S5Uf0rgkFBUu0XthaXRISugxJEIctukSP xGREgMfmKe7KQOTFA3OvavSw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 11fdda64 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 21 Oct 2021 16:54:52 +0000 (UTC) References: <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx> From: Tobias Geerinckx-Rice To: Leo Famulari Cc: Arun Isaac , guix-devel@gnu.org Subject: Re: Public guix offload server Date: Thu, 21 Oct 2021 18:46:26 +0200 In-reply-to: BIMI-Selector: v=BIMI1; s=default; Message-ID: <874k9a71y4.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -1 X-Spam_score: -0.2 X-Spam_bar: / X-Spam_report: (-0.2 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634835736; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=okuiXyagQEXxNBqWBO101RTvMljWFyASx0PTwe82OVs=; b=R2q191psZpnkvxxT1wJThSsenVmtBpH0lOpgGFiUgTb+YZfAA9pjJSfzsTnktrLKvzKva0 9qOKZCvfubGanM0KY44JMZY9n1k+M08dNr/UcPTcxZC3lnhv3gFf6qJogjFM/XUJ+StTZm q5mgdWWWmK6UKnvqqxYDa/GPHfEkWEBgYkPfvYkYOmcd5KHDdm2EMV3woImJPhpFy8gmXh VtVE9vpEi+VR/GzEqvNLd+uQAUHTgKUwxLMva1lJFkHBy4Ya8F4Cj+FOGBdIbH/oG5luXy xX9c1F8zll1ssrgKBLgOQ6OlJPao9QkaFzU1BLr7nw0bHOfKlNipvkPvIKU+qQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634835736; a=rsa-sha256; cv=none; b=JfTQDBeM+Sf2rBNGeHx8gtFwjftrcNRPXkG1cZg/1kz4mocSoL8WWsQyAxKPlvqGOH9H9E EwYGTP67zHWcCxFyfpOTHh54Jp1kGE1SDArMvz6DBOiiZiWEPLDh/v59ZsPUG0Vh+qjsFl XXwu10NqIOpECAkzsK9D+SOY1VXlDGI2idY5t5/UiodP7fZxoB0wCVzlnOteDxftgQR3Az S+fbRFOVsQKtnFSXd8JrdOuBXosXKLWd2DyXDHFGh8wKsJ1FXxsi22gwDuDw/X4ZtBXkqM e0wSYNiRt6cN/CaQv4TUB/8h3oaUKpAoYSJ+SHimNkQT/GPQaZqkj0UAASfR/g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=Y4S0LkTM; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.73 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=Y4S0LkTM; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 478BE19484 X-Spam-Score: -4.73 X-Migadu-Scanner: scn0.migadu.com X-TUID: STETckuRpf+S --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Leo, Leo Famulari =E5=86=99=E9=81=93=EF=BC=9A > Interesting... I'm not at all familiar with how `guix offload`=20 > works, > because I've never used it. But it's surprising to me that this=20 > would be > possible. Although after one minute of thought, I'm not sure why=20 > it > wouldn't be. Very quickly: =2D You send an offload request to the offload server, but you also=20 get so send any remotely missing store items that you already=20 have, as opaque binaries (icecat could be tetris instead). This is why the offload server has to trust your key. It's=20 valuable and shouldn't be removed, but making it optional[0]=20 shouldn't be =E2=80=98too hard=E2=80=99. =2D The offload sends back one or more store items, which is why you=20 trust it. This part is just substitution in a different form=20 (SSH vs. HTTPS etc.) > However, the Guix security model trusts committers=20 > implicitly. So, if > the committers' shared offload server had proper access control,=20 > one > might consider it "good enough" in terms of security. The two are *SO* different as to be incomparable IMO. You do point out the difference, so I guess we just assess it very=20 differently: > Although the > possibility of spreading malicious binaries is much scarier than=20 > what > could be achieved by committing to guix.git, because of the=20 > relative > lack of transparency. Gotta run, T G-R [0]: Which would create the =E2=80=9Csecond, less powerful offload protocol where clients can submit only derivations to be built by the remote daemon, plus fixed-output derivations=E2=80=9D I imagined. But this is still hand-waving at this point. :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYXGbYw0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15MHcA/0G8KR73uH45l8UzP9bPMq80pxlmUY8AH1zGt4MD fUKGAP40tqiaG4C6rl5xxfJAP9AvmyJyAx2aRbUrPxBplZJzDw== =g+uD -----END PGP SIGNATURE----- --=-=-=--