[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sustainable funding and maintenance for our infrastructure
|
From: |
Jonathan Frederickson |
|
Subject: |
Re: Sustainable funding and maintenance for our infrastructure |
|
Date: |
Sat, 24 Aug 2024 19:15:26 -0400 |
On Wed, Aug 14, 2024, at 9:21 AM, Felix Lechner wrote:
The serving someone else's substitutes could also arise more innocently,
for example via a technical misconfiguration or because of an incentive
system that rewards the contribution of substitutes.
Yes, indeed. And you may very well want such an incentive system, because having many people distribute substitutes in a P2P system is a natural way for people to contribute their own bandwidth.
Is it possible for someone to reliably attest that they individually
built a reproducible work product? I believe the needed variation in
inputs, like a hash, is incompatible with the goal of reproducability.
I think it's possible if the signature is detached from the reproducible work product to be signed. For example, it's like the difference between an embedded and detached signature of a file signed by GPG. Distributing a detached signature alongside a file doesn't change the hash of the file that's been signed.
Of course, you may not have built the build inputs yourself either - but those can be authenticated separately. (Recursion!)