Snippet #4351 (by Ekleog, text)

Expires in: 0 minutes Compare Snippets View Raw 
Current scheme:
1. Hydra notices a drv to build
2. Hydra sends the drv to builder B
3. B builds
4. Hydra copy-closures the product of B's build to Hydra
5. On a “main” server, nix signs the built derivations
6. Said main server pushes the built derivation to the cache

TCB: steps 2, 3, 4, 5 (because from the time the derivation is picked by hydra to the time it's signed all the steps have to be secure)
Breakage for unability to recover: main server being compromised
Scope of damage if B temporarily compromised: all builds that were sent to it; and if Hydra was compromised too then any build

New scheme idea:
1. Hydra notices a drv to build
2. Hydra sends the drv to builder B
3. B builds and signs with builder-local key
4. B uploads the build to the cache
5. Hydra sends the drv to signer machine
6. Signer machine downloads the narinfo from the cache
7. Signer machine verifies signature of B, re-signs
8. Signer machine re-uploads the narinfo with the new key

TCB: steps 3 and 7 (because any step in-between is trustless)
Breakage for unability to recover: signer machine being compromised
Scope of damage if B temporarily compromised: all builds that were sent to it (assuming the signer machine verifies the signature of B and not only the signature of “any builder”); and if hydra was compromised too then any build

Reply to this snippet →

Honeypot, don't fill.
⌘+⏎ or Ctrl+⏎