[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Guix and remote trust

From: zimoun
Subject: Re: Guix and remote trust
Date: Fri, 13 Dec 2019 16:26:13 +0100

Hi Pierre,

Thinking a bit of your issue and you have right: you cannot.
I mean, if you cannot trust the Guix daemon on a remote machine,
everything is doomed. Period! :-)

To me, you are asking: how can I verify the validity of a signature
using an untrusted GPG. Well, you cannot. The untrusted GPG can say
whatever it wants then it is game over. Trusting trust attack.

Well, so you need to transport one trusted Guix on the untrusted
machine balaitou.
For example, you create a container with Guix (code and daemon) from
the trusted machine aneto and then you move this container to
balaitou. From the machine balaitou, you start the container mounting
/gnu/store/ and verify the integrity (using the trusted guix). Then
you will know if you can trust or not the /gnu/store.
Something like that... I do not know.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]