From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Applying the GPG web-of-trust to Guix (was Re: Signed archives) Date: Fri, 21 Feb 2014 17:10:37 -0500 Message-ID: <87k3co5d7m.fsf_-_@netris.org> References: <87txcqesqv.fsf@karetnikov.org> <87eh3ure1r.fsf@gnu.org> <87bnyyiv2u.fsf_-_@karetnikov.org> <87ha8qo7rl.fsf@gnu.org> <8761p5jv1g.fsf@karetnikov.org> <87r47tfmes.fsf@gnu.org> <8738k0pj8c.fsf@karetnikov.org> <874n4fnhs7.fsf@gnu.org> <87ppmigld8.fsf@karetnikov.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51414) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGyJz-0000U6-HZ for guix-devel@gnu.org; Fri, 21 Feb 2014 17:11:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGyJt-00008H-R0 for guix-devel@gnu.org; Fri, 21 Feb 2014 17:11:51 -0500 In-Reply-To: <87ppmigld8.fsf@karetnikov.org> (Nikita Karetnikov's message of "Thu, 20 Feb 2014 13:54:27 +0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Nikita Karetnikov Cc: guix-devel@gnu.org Nikita Karetnikov writes: > 3. How does a user get Hydra=E2=80=99s public key? > > 4. Will the entire cache be signed with a single key? (Mark, would you > like to add something?) FWIW, I think it's a mistake to have Hydra sign all binaries. Doing this would make Hydra a single-point of failure, and therefore a very worthwhile machine for someone to hack into. Instead, the binaries should be signed by the build machine that produced them. Hydra's job should simply be to collect the set of signatures that have been made on a given binary. Initially, the build machine's signature would be the only one, but then users should be able to upload their own signatures to Hydra, after they have independently verified that a given derivation produces a given binary. I think that the design of the GPG web-of-trust is exactly applicable here, in almost all respects. Whereas the GPG web-of-trust is designed to allow users to gain confidence that a public key was truly produced by a given person, our Guix web-of-trust should be designed to give confidence that a given binary was truly produced by a given derivation. Just as GPG keyservers allow anyone to add their signatures to certify that a public key was produced by a given person, and then distributes all of the accumulated signatures to anyone who requests a key, Guix hydra servers should allow anyone to add their signatures, and distribute all of them to anyone who requests a binary. Just as GPG allows users to specify how much they trust they place on a given person to certify that other keys were produced by their owners, Guix client software should allow users to specify their trust in a given person or build machine to certify that a given binary was produced by a given derivation. Finally, just as GPG computes a metric of how much confidence you should have that a given key was produced by a given person, based on all of the above information, Guix should also produce such a metric. As far as I can tell, the trust metric algorithms are directly applicable to Guix. I think that we should simply copy all of the concepts and algorithms from GPG. What do you think? Mark