From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Allan Webber <cwebber@dustycloud.org>
Subject: bug#22883: Trustable "guix pull"
Date: Wed, 02 Mar 2016 13:07:04 -0800
Message-ID: <878u20si6f.fsf@dustycloud.org>
References: <87io14sqoa.fsf@dustycloud.org> <20160302192642.GA16774@jasmine>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42247)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abE06-0001UG-3h
	for bug-guix@gnu.org; Wed, 02 Mar 2016 16:08:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abE02-0001TL-U9
	for bug-guix@gnu.org; Wed, 02 Mar 2016 16:08:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:32824)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abE02-0001TH-QQ
	for bug-guix@gnu.org; Wed, 02 Mar 2016 16:08:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abE02-000131-Hw
	for bug-guix@gnu.org; Wed, 02 Mar 2016 16:08:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.14569528293967@debbugs.gnu.org>
In-reply-to: <20160302192642.GA16774@jasmine>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: Leo Famulari <leo@famulari.name>
Cc: 22883@debbugs.gnu.org

Leo Famulari writes:

> On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
>> Right now, when a user does a "guix pull", that pulls down the latest
>> repository of code from git, which is kept in a tarball.  Once you
>> receive the latest code, this has some checks: what's the hash of each
>> package, etc.
>
> A discussion worth having. But, let's merge this bug into
> debbugs.gnu.org/22629.

I'm not sure they should be merged, though they're related.  That thread
doesn't deal at all with security, though it provides some other good
ideas.  It even says:

  PS: I do not mention the issue of authenticating code here, which is
      obviously very important and deserves to be treated separately.

However I have no objections to merging them if others think we should

> Also, we should read "The Update Framework" as requested there.

This?  https://theupdateframework.github.io/

There seem to be quite a few papers there!