09/66: ccs-2021: Write conclusion.

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit bf219e34e6cd66afd168ea703d40c5817f300c2f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon May 3 11:38:13 2021 +0200

    ccs-2021: Write conclusion.
---
 doc/ccs-2021/supply-chain.skb | 61 +++++++++++++++++++++++++++++--------------
 1 file changed, 41 insertions(+), 20 deletions(-)

diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index b1c2d25..0da1814 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -915,29 +915,50 @@ branch rather than the intended one.  The “secure push” 
operation and
 the associated ,(emph [reference state log]) (RSL) the authors propose
 would be an improvement.]))
 
-   (chapter :title [Conclusion and Outlook]
+   (chapter :title [Conclusion]
       :ident "conclusion"
       
-      (p [Guix now has a mechanism that allows it to authenticate
-updates.  If you’ve run ,(tt [guix pull]) recently, perhaps you’ve noticed
-additional output and a progress bar as new commits are being
-authenticated.  Apart from that, the switch has been completely
-transparent.  The authentication mechanism is built around the commit
-graph of Git; in fact, it’s a mechanism to ,(emph [authenticate Git checkouts])
-and in that sense it is not tied to Guix and its application domain.  It
-is available not only for the main ,(tt [guix]) channel, but also for
-third-party channels.])
-
-      (p [To bootstrap trust, we added the notion of ,(it [channel
+      (p [The update authentication mechanism described in this article
+was deployed more than a year ago.  Users updating with ,(tt [guix
+pull]) may have noticed a new progress bar while commits are being
+authenticated.  Apart from that, the change was transparent and our
+experience so far has been positive.  The authentication mechanism is
+built around the Git commit graph; it’s a mechanism to ,(emph
+[authenticate Git checkouts]) and in that sense it is not tied to Guix
+and its application domain.  To our knowledge, this is the first
+client-side-only Git update authentication in use.])
+      
+      (p [Guix records the commits of channels used to deploy a set of
+packages or even a complete operating system.  We took advantage of
+that, together with knowledge of the commit graph of these channels, to
+prevent downgrade attacks—both when running ,(tt [guix pull]) and when
+deploying the operating system.])
+
+      (p [The security of the software supply chain as managed by Guix
+relies on: auditability (every piece of software is built from source),
+verifiability (the functional model and reproducible builds make it easy
+to (re)build binaries and check whether they match the source), and
+secure updates (users updating Guix can only get genuine code vetted by
+the project).  We think this is a solid foundation that addresses common
+software supply chain issues at their core.])
+
+      (p [The security of free operating systems of course also depends
+on the security of the upstream software packages being distributed.  We
+hope our Git authentication model and/or tool can find its way as part
+of the development workflows upstream.  This would address one of the
+weakest points in today’s practices.])
+
+      #;(p [To bootstrap trust, we added the notion of ,(it [channel
 introductions]).  These are now visible in the user interface, in
-particular in the output of ,(tt [guix describe]) and in the configuration
-file of ,(tt [guix pull]) and ,(tt [guix time-machine]).  While channel
-configuration remains a few lines of code that users typically paste,
-this extra bit of configuration might be intimidating.  It certainly
-gives an incentive to provide a command-line interface to manage the
-user’s list of channels: ,(tt [guix channel add]), etc.])
-
-      (p [The solution here is built around the assumption that Guix is
+particular in the output of ,(tt [guix describe]) and in the
+configuration file of ,(tt [guix pull]) and ,(tt [guix time-machine]).
+While channel configuration remains a few lines of code that users
+typically paste, this extra bit of configuration might be intimidating.
+This gives us an incentive to facilitate the handling of channels and
+channel introductions, be it through a compact representation of these
+of ,(it [via]) improvements to the user interface.])
+
+      #;(p [The solution here is built around the assumption that Guix is
 fundamentally a source-based distribution, and is thus completely
 orthogonal to the public key infrastructure (PKI) Guix uses for the
 signature of substitutes.  Yet, the substitute PKI could probably