From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: Signed archives (preliminary patch)
Date: Fri, 28 Feb 2014 04:21:36 -0500
Message-ID: <87txbjoan3.fsf@yeeloong.lan>
References: <87txcqesqv.fsf@karetnikov.org> <87eh3ure1r.fsf@gnu.org>
	<87bnyyiv2u.fsf_-_@karetnikov.org> <87ha8qo7rl.fsf@gnu.org>
	<8761p5jv1g.fsf@karetnikov.org> <87r47tfmes.fsf@gnu.org>
	<8738k0pj8c.fsf@karetnikov.org> <874n4fnhs7.fsf@gnu.org>
	<87ppmigld8.fsf@karetnikov.org> <87y514dv2u.fsf@gnu.org>
	<87y50wffjy.fsf_-_@karetnikov.org> <874n3kp46f.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50617)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1WJJee-0008N5-3w
	for guix-devel@gnu.org; Fri, 28 Feb 2014 04:22:57 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1WJJeX-0002Gg-5L
	for guix-devel@gnu.org; Fri, 28 Feb 2014 04:22:51 -0500
In-Reply-To: <874n3kp46f.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Thu, 27 Feb 2014 23:43:36 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> The difficulty here will be to compute the hash up to the Signature
> field.  To do that, =E2=80=98read-narinfo=E2=80=99 should probably:
>
>   1. read everything from PORT with =E2=80=98get-string-all=E2=80=99 in a=
 string (make
>      sure PORT=E2=80=99s encoding is UTF-8);
>
>   2. isolate the lines before the ^[[:blank:]]*Signature[[:blank:]]:
>      line;
>
>   3. compute the hash of those lines;
>
>   4. do (fields->alist (open-input-string the-whole-string));
>
>   5. pass the hash to the signature verification procedure.
>
> Does that make sense?

Apologies in advance if I'm failing to understand, but I'm concerned
about bundling a single principal signature into the narinfo file.
Not only does it cause the complications discussed above, but more
importantly, it seems to introduce an architectural bias toward an
authentication scheme where everyone is encouraged to place their
trust in a single centralized build system.

How do you envision the transition from this single-signature
architecture to one where other users and/or independent build farms
can add their signatures to hydra?  Will those signatures be treated
differently than the signatures created by hydra.gnu.org?  Will they
be stored and sent to users using a different mechanism?

    Regards,
      Mark