| 27 Jun 2026 |
emily | because then you might as well skip the key | 12:05:36 |
hexa | we should get DNSSEC | 12:05:42 |
hexa | that shit is so complicated that attackers tend to forget it is in place | 12:06:00 |
emily | if you secure the transit enough that you feel you can trust any key coming down the wire then you don't need to sign the packages at all | 12:06:20 |
emily | tlog as key distribution mechanism would work though :) | 12:06:56 |
Mic92 | In reply to @hexa:lossy.network already deployed, sorry :) Okay should be fine | 12:07:27 |
Eli Saado | it depends on the threat model, transit can be very secure but if the server serving the packages is compromised an attacker can still serve malware if packages aren't signed | 12:07:27 |
hexa | I mean, we trust the key currently sitting on github in nixpkgs | 12:07:57 |
hexa | so we could also just fetch that | 12:08:03 |
emily | ideally we get Nixpkgs signed too one day | 12:09:23 |
emily | yes my point is that if you fetch new package signing keys like that without some other chain of trust then you can still do that | 12:09:54 |
wamserma | tlog sounds nice. + publishing a hash in a few different places as RoT? | 12:10:16 |
emily | tbh Merkle tree certs is what would be ideal, but that'd be a whole thing to teach Nix about | 12:10:16 |
emily | you can do better than that | 12:10:27 |
emily | https://witness-network.org/ | 12:10:38 |
emily | especially with WebPKI adopting MTCs with tlogs as the source of truth for certs there's a lot of nice things happening | 12:11:19 |
wamserma | did someone mention SLSA yet? | 12:13:09 |
hexa | yes, tooon in 2022 | 12:13:58 |
hexa | Redacted or Malformed Event | 12:14:03 |
hexa | Redacted or Malformed Event | 12:14:09 |
wamserma | (just being snarky, going full SLSA would be leaping instead of taking this in reasonable steps) | 12:15:26 |
hexa | given that this rom is lossy | 12:15:43 |
hexa | Redacted or Malformed Event | 12:15:49 |
hexa | y'all should schedule a meeting and discuss options | 12:15:58 |
hexa | and come back with a protocol | 12:16:03 |
wamserma | i can offer this as a thesis topic :) | 12:20:24 |
Vladimír Čunát | The GC issues need deploying some updates on the builders (as well), right? | 13:14:51 |
Mic92 | hexa (signing key rotation when): did this presumably? Because the branch is merged. | 13:17:58 |
Vladimír Čunát | A quick check didn't seem that way:
[root@elated-minsky:~]# ls -l /run/current-system
lrwxrwxrwx 1 root root 93 Jun 27 00:00 /run/current-system -> /nix/store/hy3xflm3y9ckb8zrdv73gb63xgmycw3g-nixos-system-elated-minsky-26.05.20260621.c1613e5
| 13:18:38 |
Mic92 | Okay, feel free to update. | 13:19:02 |