Hi! On Tue, 21 Jul 2020 at 23:22, Ludovic Courtès <l...@gnu.org> wrote:
>>> >> • If we no longer deal with tarballs but upstreams keep signing >>> >> tarballs (not raw directory hashes), how can we authenticate our >>> >> code after the fact? >>> > >>> > Does Guix automatically authenticate code using signed tarballs? >>> >>> Not automatically; packagers are supposed to authenticate code when they >>> add a package (‘guix refresh -u’ does that automatically). >> >> So I miss the point of having this authentication information in the >> future where upstream has disappeared. > > What I meant above, is that often, what we have is things like detached > signatures of raw tarballs, or documents referring to a tarball hash: > > https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00009.html I still miss why it matters to store detached signature of raw tarballs. The authentication is done now (at package time and/or inclusion in the lookup table proposal). I miss why we would have to re-authenticate again later. IMHO, having a lookup table that returns the signatures from a tarball hash or an archive of all the OpenGPG keys ever published is another topic. >>> But today, we store tarball hashes, not directory hashes. >> >> We store what "guix hash" returns. ;-) >> So it is easy to migrate from tarball hashes to whatever else. :-) > > True, but that other thing, as it stands, would be a nar hash (like for > ‘git-fetch’), not a Git-tree hash (what SWH uses). Ok, now I am totally convinced that a lookup table is The Right Thing™. :-) >> I mean, it is "(sha256 (base32" and it is easy to have also >> "(sha256-tree (base32" or something like that. > > Right, but that first and foremost requires daemon support. > > It’s doable, but migration would have to take a long time, since this is > touching core parts of the “protocol”. Doable but not necessary tractable. :-) >> I have not done yet the clear back-to-envelop computations. Roughly, >> there are ~23 commits on average per day updating packages, so say 70% >> of them are url-fetch, it is ~16 new tarballs per day, on average. >> How the model using a Git-repo will scale? Because, naively the >> output of "disassemble-archive" in full text (pretty-print format) for >> the hello-2.10.tar is 120KB and so 16*365*120K = ~700Mb per year >> without considering all the Git internals. Obviously, it depends on >> the number of files and I do not know if hello is a representative >> example. > > Interesting, thanks for making that calculation! We could make the > format more compact if needed. Compressing should help. Considering 14000 packages, based on this 120KB estimation, it leads to: 0.7*14k*120K= ~1.2GB for the Git-repo of the current Guix. Cheers, simon
