From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: [GSoC] Draft of my proposition Date: Tue, 22 Mar 2016 23:17:25 -0700 Message-ID: <87fuvhvhu2.fsf@gmail.com> References: <87h9g09nrr.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53275) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aic6q-0005Rq-Uc for guix-devel@gnu.org; Wed, 23 Mar 2016 02:17:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aic6n-00076n-L2 for guix-devel@gnu.org; Wed, 23 Mar 2016 02:17:36 -0400 Received: from mail-pf0-x231.google.com ([2607:f8b0:400e:c00::231]:36653) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aic6n-00076i-9b for guix-devel@gnu.org; Wed, 23 Mar 2016 02:17:33 -0400 Received: by mail-pf0-x231.google.com with SMTP id u190so11625268pfb.3 for ; Tue, 22 Mar 2016 23:17:33 -0700 (PDT) In-Reply-To: (vincent@cloutier.co's message of "Mon, 21 Mar 2016 22:19:09 +0000 (GMT)") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: vincent@cloutier.co Cc: Guix Devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable writes: > Since Guix users know in advance the hash of the data they want, > downloading from peers has no security implications (and privacy can > be done trough proxies). How will trust work in the IPFS world? I think maybe you touch on this when you later mention "building consensus on a package=E2=80=99s hash", bu= t it wasn't entirely clear to me. My understanding is that because Guix uses a cryptographic hash function, it's true that if you have some data, you know the expected hash value of that data, and the computed hash value of the data matches the expected hash value, then you can be confident that the data hasn't been corrupted or tampered with. However, how do you know the expected hash value was correct to begin with? How can you trust it? Currently, I believe that Guix handles trust by refusing to use substitutes that are not signed by a trusted key. The substitutes built and vended by hydra.gnu.org are signed with Hydra's key, and users of Guix must trust Hydra's key in order to use Hydra's substitutes. > I have a fascination for peer-to-peer tech and I am constantly looking > for the innovative new tech in this area (Bitcoin, Ethereum, > etc). Less than a year ago I discovered IPFS, a project that takes the > best ideas from BitTorrent and Git to create a simple and elegant > protocol. > > IPFS allows one to find who has a piece of content and is ready to > share it, when knowing only the content=E2=80=99s hash. Content is added = in a > reproducible manner and deduplication can be added via Merkle > trees. IPFS is also content-agnostic, one could serve Guix=E2=80=99s prog= rams > without even running Guix. It would also be possible to share text or > video documentation using IPFS. This is a very compelling idea! Thank you for sharing it; IPFS is new to me, and it looks intriguing. I understand that in the past, R=C3=A9mi Birot-Delrue did some work on a similar project to enable publication of packages over GNUnet: https://lists.gnu.org/archive/html/guix-devel/2015-05/msg00022.html Although progress was made, I don't think the project to publish packages over GNUnet was fully completed. This seems to be the last email thread from R=C3=A9mi: https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00455.html Have you considered picking up where R=C3=A9mi left off? Even if you choose not to use GNUnet instead of IPFS, perhaps R=C3=A9mi's prior work can help you as you work on your project. > A couple of years ago I realized that every tool I had learn and > everything that I tinkered with was free and open source > software. Almost everything I achieved with computers was because of > people who shared their knowledge and technologies and I want to > contribute back. That's fantastic! Thank you for stepping up and helping. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW8jT4AAoJEN1AmhXYIkad1vYQAJfTRijvQyw7h/co9Q3PYGe/ AAdPuRkQff3iC/5XKKM6QyUgTx4DqHJmXQZIkEXiRzEZN2slsnWRa9jx7fxlKpZW Oi1lCml261vCPqaEq/9AIEDsp2Gx0so56hdAJcnFkNm9BMob9zM0c7xiLywBp1pu KCeT6HpL0PVbOsMqsZb2RL1kMq6Jhd8Sg4Aw0iz0jxGoLjuBmGREZTEh9BQCnVa1 oBP+rJicTe0SUMsFebWj1C+VfwC5El5UiaHtMgxrmpx0Fv6UcHWBZlLTNQMinwuY hFm90IIQ9guNv49+eJrNaK/3fFdW49HN/bCvx/4jVF+iMkPfqRTV+305CmVbgCl4 OFp9G1ayj7UjtMz+Eb05LZaOyKBq1VJ6sHCqiQcn354CTgfrmZ3rfGzv3crgSE2s muezF6hB8ufbuevcet2fYfGLtdpiu2IfmvQPkBKgpvZfu48Esy30YVvclsEItDQR b2kMPCW5r8Na8silqiy9QTlbamfTP7y2qRzQrYjifCFlJ9PXQAav8u3blotYltbP jibSoUYDuu0GzexDtPJ2SHSk4nNHz0DbfCpitz1qq0BMExLYv+lK2EKPaQaq5yJg lLzU6auvt38MLdQ/YA3jWsIwGuEF/N2I3n6mu5/sekCrHQIt9Nxc/iYi26p04Rll CkTC9W9zR13UUQaGymX1 =c0AG -----END PGP SIGNATURE----- --=-=-=--