[elzr]

How can you get an irrevocable ledger without solving the "no trust" problem?

[skybrian]

You have a lot of people watching the trusted source to make sure that it's append-only and follows the rules for appends. It's a reputation thing; not impossible but it will be detected.

[davrosthedalek]

Isn't reputation trust-by-historical-evidence?

[ajross]

The same way you know your copy of the kernel tree is authentic.

[kobeya]

Because my distro signed it? That is pure centralized trust.

[ajross]

Actually I meant the source tree, and it's because Linus signed the git commit, and thus the tree and all its history. But yeah, the distro works too, which is the whole point: centralized trust does work without a solution to the "no trust" problem. And it works because you build an identity that is consistent over time. I can trust the 4.10 tree because it's signed by the same keys that have been signing kernel keys for years, which are themselves cross-signed by a bunch of trusted identities who have similarly built histories.

So yeah, we trust Linus. And it works.

[kobeya]

Only if you're okay with benevolent dictators for life..

[ajross]

Which is rather a different point than "you must solve the no-trust problem to have an irrevocable ledger", isn't it?

[kobeya]

No, you're trusting the benevolent dictator. To have no-trust you need no trusted individuals.

[skybrian]

This is about tracking the source code using git. The specific thing being guaranteed is that they won't rewrite history; if they rebase you (and many others) will detect it.

Of course you're still trusting them in other ways.