Mark H Weaver <m...@netris.org> skribis: > Nikita Karetnikov <nik...@karetnikov.org> writes: > >> 3. How does a user get Hydra’s public key? >> >> 4. Will the entire cache be signed with a single key? (Mark, would you >> like to add something?) > > FWIW, I think it's a mistake to have Hydra sign all binaries. Doing > this would make Hydra a single-point of failure, and therefore a very > worthwhile machine for someone to hack into.
Ah, agreed. But I think here “Hydra” was understood as “the build machine behind hydra.gnu.org”, not specifically the machine at hydra.gnu.org. I think the first milestone will be to have signatures at all, but I agree that what you describe is the next one. > Instead, the binaries should be signed by the build machine that > produced them. Hydra's job should simply be to collect the set of > signatures that have been made on a given binary. Initially, the build > machine's signature would be the only one, If there are several build slaves behind hydra.gnu.org, the offload hook could also collect signatures from those machines. > but then users should be able to upload their own signatures to Hydra, > after they have independently verified that a given derivation > produces a given binary. Agreed. (That would mean either modifying Hydra, or coming up with an alternative system, I think.) [...] > As far as I can tell, the trust metric algorithms are directly > applicable to Guix. I think that we should simply copy all of the > concepts and algorithms from GPG. The analogies you make indeed show which concepts could be applicable. Technically, I think SPKI is more appropriate than OpenPGP here, because OpenPGP is really about certifying bindings between email addresses and human beings. (And ‘guix authenticate’ & co. already is very SPKI-like.) In particular, as Niels mentioned recently, delegation in SPKI may help address some of these issues: users could publish delegation certificates for the ‘guix-import’ tag, meaning that A trusts B for the purposes of importing archives signed by B. >From there, I think we should try to come up with a road map, because it’ll be hard to address all of that at once. Ludo’.
