[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Guix and remote trust
|
From: |
zimoun |
|
Subject: |
Re: Guix and remote trust |
|
Date: |
Fri, 13 Dec 2019 16:26:13 +0100 |
Hi Pierre,
Thinking a bit of your issue and you have right: you cannot.
I mean, if you cannot trust the Guix daemon on a remote machine,
everything is doomed. Period! :-)
To me, you are asking: how can I verify the validity of a signature
using an untrusted GPG. Well, you cannot. The untrusted GPG can say
whatever it wants then it is game over. Trusting trust attack.
Well, so you need to transport one trusted Guix on the untrusted
machine balaitou.
For example, you create a container with Guix (code and daemon) from
the trusted machine aneto and then you move this container to
balaitou. From the machine balaitou, you start the container mounting
/gnu/store/ and verify the integrity (using the trusted guix). Then
you will know if you can trust or not the /gnu/store.
Something like that... I do not know.
Cheers,
simon
- Guix and remote trust, Pierre Neidhardt, 2019/12/12
- Re: Guix and remote trust, Christopher Baines, 2019/12/12
- Re: Guix and remote trust, Pierre Neidhardt, 2019/12/13
- Re: Guix and remote trust, zimoun, 2019/12/13
- Re: Guix and remote trust, Pierre Neidhardt, 2019/12/13
- Re: Guix and remote trust, zimoun, 2019/12/13
- Re: Guix and remote trust, Josh Marshall, 2019/12/13
- Re: Guix and remote trust, Pierre Neidhardt, 2019/12/13
- Re: Guix and remote trust, Pierre Neidhardt, 2019/12/13
- Re: Guix and remote trust, Pierre Neidhardt, 2019/12/13
- Re: Guix and remote trust,
zimoun <=