l...@gnu.org (Ludovic Courtès) writes:
> Ideally, I imagine you could do something like:
>
> dht-get /gnu/store/ykmg6ydrmlkn600wklriw3wzc1z3dcli-emacs-24.3
>
> and get as a reply (roughly) a tuple containing:
>
> 1. a signature (as a canonical s-expression);
Why only one signature? I think this should be a set of signatures.
Nodes should accumulate a set of signatures asserting that a given build
output is the result of a given derivation, just as GPG accumulates a
list of signatures on each user id, no?
This is the only way I know of to achieve confidence that the build
outputs are authentic.
Mark
