[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

“Building a Secure Software Supply Chain with GNU Guix”

From: Ludovic Courtès
Subject: “Building a Secure Software Supply Chain with GNU Guix”
Date: Thu, 30 Jun 2022 16:13:10 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux)

Hello Guix!

I’m happy to announce the publication of a refereed paper in the
Programming journal:

It talks about the “secure update” mechanism used for channels and how
it fits together with functional deployment, reproducible builds, and
bootstrapping.  Comments from reviewers showed that explaining the whole
context was important to allow people not familiar with Guix or Nix to
understand why The Update Framework (TUF) isn’t a good match, why
Git{Hub,Lab} “verified” badges aren’t any good, and so on.

What’s presented there is not new if you’ve been following along, but
hopefully it puts things in perspective for outsiders.

I also think that one battle here is to insist on verifiability when a
lot of work about supply chain security goes into “attestation” (with
in-toto, sigstore, Google’s SLSA, and the likes.)



Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]