Hello Guix! I’m happy to announce the publication of a refereed paper in the Programming journal:
https://doi.org/10.22152/programming-journal.org/2023/7/1 It talks about the “secure update” mechanism used for channels and how it fits together with functional deployment, reproducible builds, and bootstrapping. Comments from reviewers showed that explaining the whole context was important to allow people not familiar with Guix or Nix to understand why The Update Framework (TUF) isn’t a good match, why Git{Hub,Lab} “verified” badges aren’t any good, and so on. What’s presented there is not new if you’ve been following along, but hopefully it puts things in perspective for outsiders. I also think that one battle here is to insist on verifiability when a lot of work about supply chain security goes into “attestation” (with in-toto, sigstore, Google’s SLSA, and the likes.) Enjoy! Ludo’.
signature.asc
Description: PGP signature
