Re: “Building a Secure Software Supply Chain with GNU Guix”

[zimoun]

Hi Bengt,

On jeu., 30 juin 2022 at 23:37, bokr@bokr.com wrote:

> I think IWBN to have some kind of trust code come with that git output,
> like gpg's 1-5 but indicating how well the committer/signer trusts
> that using the code will *not* cause a problem.

Well, from my understanding, Guix is dealing with 4 sort of code:

 1. Guix recipe of a package
 2. Guix service
 3. Guix itself
 4. Upstream 

I do not think committers are pushing code about #1, #2 or #3 that they
know beforehand it will cause a problem.

Therefore, I do not see how it could be implemented without being rooted
in committer feelings, opinion or self-confidence, i.e., highly variable
from one committer to the other.

The GPG trust level works because it is based on the web of trust.
Here, there is no web, IMHO.

Most of the security issues are from #4.  Considering how hard it is to
find and tackle the security issues, there is only two strategies, IMHO:
do not trust which implies deep audit of distributed source code and so
restrict the set of available packages (it is somehow an OpenBSD
approach); or accept more packages which means somehow trust upstream,
to some extent.


However, all in all, it asks what is expected by the reviewing process,
as discussed [1]. :-)

1: <https://yhetil.org/guix/87r13aifi3.fsf_-_@gnu.org>


Cheers,
simon