From mboxrd@z Thu Jan  1 00:00:00 1970
From: zimoun <zimon.toutoune@gmail.com>
Subject: Re: Guix and remote trust
Date: Fri, 13 Dec 2019 16:26:13 +0100
Message-ID: <CAJ3okZ3UjswCF+ud6u5yjMgU-s6LB2bgpzJzSSwmZnV04RqgAg@mail.gmail.com>
References: <87eex9r5ay.fsf@ambrevar.xyz> <87h825wkj6.fsf@cbaines.net>
 <87h824d319.fsf@ambrevar.xyz>
 <CAJ3okZ0bfTPi60rjKL8mSNjr_Gp-FNd=1XJx22-FfwYe_R32mQ@mail.gmail.com>
 <8736doct1z.fsf@ambrevar.xyz>
 <CAJ3okZ3dVFE85HQQ261KNub4YBP5fSvB151Fr6nALQmu4FH+jg@mail.gmail.com>
 <87d0csbbyh.fsf@ambrevar.xyz> <87d0css5uh.fsf@ambrevar.xyz>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:41583)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <zimon.toutoune@gmail.com>) id 1ifmpm-00078r-B6
 for help-guix@gnu.org; Fri, 13 Dec 2019 10:26:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <zimon.toutoune@gmail.com>) id 1ifmpl-0003bk-D2
 for help-guix@gnu.org; Fri, 13 Dec 2019 10:26:26 -0500
Received: from mail-qt1-x82b.google.com ([2607:f8b0:4864:20::82b]:46231)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <zimon.toutoune@gmail.com>)
 id 1ifmpl-0003a7-7d
 for help-guix@gnu.org; Fri, 13 Dec 2019 10:26:25 -0500
Received: by mail-qt1-x82b.google.com with SMTP id 38so2512361qtb.13
 for <help-guix@gnu.org>; Fri, 13 Dec 2019 07:26:25 -0800 (PST)
In-Reply-To: <87d0css5uh.fsf@ambrevar.xyz>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Pierre Neidhardt <mail@ambrevar.xyz>
Cc: help-guix <help-guix@gnu.org>

Hi Pierre,

Thinking a bit of your issue and you have right: you cannot.
I mean, if you cannot trust the Guix daemon on a remote machine,
everything is doomed. Period! :-)

To me, you are asking: how can I verify the validity of a signature
using an untrusted GPG. Well, you cannot. The untrusted GPG can say
whatever it wants then it is game over. Trusting trust attack.

Well, so you need to transport one trusted Guix on the untrusted
machine balaitou.
For example, you create a container with Guix (code and daemon) from
the trusted machine aneto and then you move this container to
balaitou. From the machine balaitou, you start the container mounting
/gnu/store/ and verify the integrity (using the trusted guix). Then
you will know if you can trust or not the /gnu/store.
Something like that... I do not know.


Cheers,
simon