[mbakke]

The implementation requires that you have at least one authorized substitute server advertising the same hash.

In simplified terms, if ci.guix.gnu.org advertises a substitute for /gnu/store/abc123-foo, with the checksum "xyz789" (and the cryptographic signature of that advertisement checks out), your daemon can safely download that file over P2P.

[thom]

Ah, I think I'm misunderstanding the intent here. Clearly P2P distribution of checksummed binaries can be safe, I was just wondering if there were a solution to the build farm being behind. It seems like you can't really trust the first build of any artifact unless it comes from a central source.

[mbakke]

There have been discussions of an "N of P" distribution, i.e. if 80% of available peers (or substitute servers) advertise the same build result, then treat it as safe.

I expect that both will be implemented, and the choice left up to the user.

[thom]

Unless I'm massively underestimating the number of Guix users, that seems quite easy to exploit.