The most interesting thing I heard from the group overall was the observation that BT discussions get tricky because there's so many questions that can be brought up under that banner. I've felt that pain before too. Have we got a breakdown list of goals anywhere?
Here's a shot:
- [ANYBUILD] can we communicate a build definition to anyone (builds-from-source at all)
- [REPBUILD] is this build definition done right (consistent binary products)
- [TRUSTSRC] do i trust the build definition (comes down to audit or trust (either via author sig, or append-only log))
- [TRUSTRCR] do i trust the binary artifacts a build definition requires as inputs (e.g. can i recurse to those binaries' build definitions, and so on)
- [UPTODATE] is the binary artifact and/or build definition i'm holding up to date
- [SEETWIST] can i discover targeted misuses of (possibly compromised) signing keys
- [MORESIGS] how can we enhance log validity checks, and allow clear definition of multiple PoV's for trust
This is my top-of-the-head list -- do these line up with other folk's imaginings? Any appends?
We have answers in mind to several of these (append-only logs cover several bases), but tis nice to have a list of objectives sans implementation details.
One interesting thought I had as drafting that list is SEETWIST -- which we often seem to be setting our sights on with merklelogs -- may be subtly different than handling *widely* distributed bad-yet-signed packages. Just kicking that out there.
---
TUF --
http://theupdateframework.com/ -- is noteworthy for taking the UPTODATE objective very seriously. They also have an *excellent* enumeration of threats (rollbacks, replays, stalls, etc) in their docs, recommend reading. I'm not sure how TUF jives with distributed logs.
+1 to all DKG's comments about mergable/federatable/gossip-enabled logs. Having logs emanate from any party running a build seems wise.
Re: hashing objects / ipfs: Yeah, it's interesting to note more than one party has come to the conclusion objecthashes are a fundamental need. IPFS did it, Ben's ObjectHash did it, I did a one-off for tars, likely there's more. More interesting though, git did too. This is fine; it seems like duplication of effort and we can try to minimize it as time passes, but as far as dreaming of One True Spec, putting git in the field kinda blows a fuse on utility/cost ratios -- let's just all plan to play together? We might be well advised to have any general-purpose protocols leave room for a hashtree type flag. (That said, ObjectHash seems to be full of "right answers" usable as a library, which is really excellent.)
(n.b. ipfs folk also proposed a "multihash" spec, and while an interesting idea, imho this has a sharp upper limit on utility because the semantics of what you're hashing are at least as important as sha-n vs blake-m, yeah? So multihash might be great for their internal versioning, but you can't convince me it'll ever bridge the gap all the way to say, git, in a useful manner. Nor that you'd in all cases want to make such disparate things transparent.)
A passing note re: encodings:
http://cbor.io/ RFC 7049 is a fine one: semantically almost identical to JSON, binary length delimited for fast, supports binary strings without b64 or similar expensive escaping. Simple unambiguously spec'd varinits, even, if you're into that. Since it's *so* similar to JSON, we can define treehashes that actually see them as the same thing.
I like the redaction strategy in Objecthash, fwiw. Seems like a useful thing to bake in.
Spawning a new thread for git-config fun, as I imagine we might want to be able to look that one up by thread title.
---
What a wonderful forum! Cheers all.
-Eric