IRC channel logs
back to list of logs
<zimoun>civodul: Congrats for the inveted talk by Galois. :-) <zimoun>Other said: “Securing Update Propagation with Homomorphic Hashing” <civodul>we'd need something like that for the "guix index" database maybe? <zimoun>Pijul is a DVCS as Git, so I think it is larger than “database updates”. Or securing “guix pull” and “guix install foo” could also be seen as securing a database update. :-) <zimoun>Especially when considering distributed substitutes and/or Git servers. <civodul>could be, but it's too abstract for me <civodul>"git pull" is about synchronizing Merkle DAGs, which have useful properties already <zimoun>yeah for sure, the issue is that in “distributed” mode, you need to specificy the source of authority. Pijul (implementing stuff à la Darc) tries to have the same resulting “database” but considering that some edges can commute. <zimoun>Somehow Pijul extends to have more useful properties. :-) <civodul>it's a completely different beast than a Merkle DAG, but it's definitely interesting <zimoun>If you give a look at the paper, the current implementation is “Approach 1: signing each update“. <zimoun>Basically, “Approach 3: Efficiently updatable hashing. Ideally, we want to take an approach that provides integrity of updates using a computation that does not depend on the size of the database or the total number of updates.” <zimoun>then later, “Merkle trees [Mer87] provide a partial solution to this problem.” <zimoun>So my point is that, instead of TUF and friends that do not apply for the Guix model, maybe we should take inspiration with “secure update propagation of database”. <civodul>we do have a solution though, and one that's generally applicable :-) <zimoun>but the solution does not scale. <zimoun>it depends on the size of the database and on the total number of updates. <civodul>anyway, i don't think we'll address that this afternoon <civodul>just don't throw the baby with the bath water <zimoun>And the coincidence with your talk about Securing… at Galois and this seminar makes me think about that: maybe we could improve by reusing stuff. <civodul>yeah, it's worth looking into that more deeply <civodul>i really need to look at those talks on persistent data structures too!