[Nix-dev] Sidestepping the community builds trust issue?

Fri Dec 25 06:31:14 CET 2015

A web-of-trust type approach is what I have previously heard discussed. In
the context of such an approach, I have three things to say in support of
my proposal.

1. My proposal requires no changes to the status quo trust model that we
have today. In other words, it is fully backwards-compatible from a
trust/security standpoint. This means that it does not require any buy-in
from the community at large. From the perspective of an end user, all that
I will notice is that hydra's build farm seems to have gotten
bigger/faster. Switching to a web-of-trust style approach requires buy-in
from the entire community, and therefore has high
synchronization/communication overhead to implement.
2. My proposal is straightforward to implement. It requires a single
technical change (support for prioritized build requests in the scheduler),
and such a feature is in no way technically novel or challenging. A
web-of-trust style approach has more technical challenges, including
deterministic builds and maintaining the web itself.
3. In those first two points, I claim some advantage relative to a
web-of-trust style approach. However, both ideas are fully compatible.
Precisely because my suggestion makes no changes to the current trust
model, it would be just as easy (or difficult) to add in a web-of-trust
style mechanism afterwards. However, of the two, it seems to me that this
idea has significantly lower barriers to full implementation in the short
term, which is why I bring it up.

- Anders Papitto

On Thu, Dec 24, 2015 at 7:30 PM Tim Barbour <trb at categorical.net> wrote:

> On Thu, 24 Dec 2015 21:21:03 +0000,
> Anders Papitto wrote:
> > I've seen several conversations centered on how to enable private
> individuals and/or companies to contribute to
> > publicly available binary caches, without requiring end users to
> explicitly trust those private entities. The main
> > problem, for which I'm not aware of a complete solution, is that there
> is no way to verify a build output provided
> > by such a private entity is actually the result of an honest build.
> > [...]
>
> I have thought this way too, but perhaps it is wrong way around.
>
> Perhaps it would be better to encourage private entities to provide binary
> caches, regardless of their integrity, then check hashes between the
> caches.
> Given a sufficient number of caches, any compromised cache should be
> quickly
> detected by discrepancies in hashes (comparisons could be done by end
> users,
> among others).
>
> This reminds me of how a PGP-style web of trust is better than trusting a
> central certificate authority to guarantee integrity.
>
> Tim
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20151225/097ae882/attachment-0001.html 