| 5 Jan 2025 |
 emily | okay, exactly what I said | 16:48:00 |
 Vladimír Čunát | Basically what you wrote. | 16:48:01 |
| emily | though I wonder if dual-signing is a nicer approach, if it's feasible? | 16:48:06 |
| Vladimír Čunát | I didn't see advantages in doing that. | 16:48:26 |
| emily | oh that was even commented | 16:48:31 |
| emily | once you remove the old key, you can still access objects further back | 16:48:44 |
| emily | so it lets you remove the old key sooner (because you can start using the new key sooner (because it doesn't break compat to)) | 16:48:57 |
| emily | makes "starting to sign with a fresh new key" not a flag day | 16:49:13 |
 hexa | people can switch to the new key as soon as it is announced and forget they switched | 16:50:16 |
| hexa | and yeah, I'm opposed to a flag day situation | 16:50:24 |
| Vladimír Čunát | You essentially need to cut all the stuff that's now in the cache. | 16:51:22 |
| Vladimír Čunát | Unless we go for resigning. | 16:51:31 |
| emily | I think it's okay to need adding the old key manually for archaeology | 16:51:48 |
| emily | but e.g. (compressed schedule for illustration)
new key included 25.11, switch over to signing with new key 26.11, remove old key 27.11 – new key can verify two releases back
vs.
new key included and dual-signed 25.11, remove old key and stop signing with it 26.11 – new key can verify two releases back | 16:53:42 |
| emily | dual-signing seems to significantly compress the schedule given the same choice of trade-offs to me | 16:53:55 |
| emily | the flag day of "needing the new key to verify things" remains the same, but you can cut off the old one much sooner because you already prepared with the new key | 16:54:27 |
| emily | it also means that people who know they don't need new releases can opt in to distrusting the old key sooner, though that's marginal | 16:54:51 |
| emily | * it also means that people who know they don't need old releases can opt in to distrusting the old key sooner, though that's marginal | 16:54:55 |
| Vladimír Čunát | The thing is that you can add a new key to be trusted easily. | 16:54:59 |
| Vladimír Čunát | Dual-signing needs new code AFAIK. | 16:55:12 |
| Vladimír Čunát | So the schedules wouldn't start at the same time in practice. | 16:55:40 |
| hexa | what if nix and hydra would further the nixpkgs effort 🤔 | 16:56:09 |
| hexa | let's dream for a minute here | 16:56:16 |
| emily | 😆 | 16:57:41 |
| emily | in all seriousness though, does the .narinfo format even support multiple signatures? | 16:58:14 |
 raitobezarius | yes | 16:58:18 |
| emily | could be worse then I guess | 16:58:31 |
| hexa | so we file an issue with nix to support multiple signing keys in addToStore*? | 17:00:40 |
| raitobezarius | i guess so | 17:01:14 |
| raitobezarius | alternatively, you can start from there: https://github.com/NixOS/nix/pull/9076 :). | 17:01:19 |
