nixos/rfcs
1
0
Fork 0
mirror of https://github.com/NixOS/rfcs.git synced 2025-12-03 23:51:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

0149-cache-key-rotation: init WIP

Browse source
This commit is contained in:
Vladimír Čunát 2023-05-26 17:37:15 +02:00
parent 02458c2ecc
commit 7681874854
No known key found for this signature in database
GPG key ID: E747DF1F9575A3AA
1 changed files with 73 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

73
rfcs/0149-cache-key-rotation.md Normal file
View file

@ -0,0 +1,73 @@
---
feature: (fill me in with a unique ident, my_awesome_feature)
start-date: (fill me in with today's date, YYYY-MM-DD)
author: (name of the main author)
co-authors: (find a buddy later to help out with the RFC)
shepherd-team: (names, to be nominated and accepted by RFC steering committee)
shepherd-leader: (name to be appointed by RFC steering committee)
related-issues: (will contain links to implementation PRs)
---
# Summary
[summary]: #summary
Rotate cache.nixos.org signing key.
If we tolerate that people using stuff older than *X* could get a validation failure by default, fully rotating the key in 2*X* time seems relatively straightforward.
# Motivation
[motivation]: #motivation
Never rotating a key is bad security practice.
The current one has been in use at least since 2015.
# Detailed design
[design]: #detailed-design
Preliminary action plan:
- generate a new key
- make it trusted by default (nix+nixpkgs, perhaps with backports to some branches)
- wait until enough people trust the new key (at least one year, probably)
- switch to signing with the new key
- wait - until paths not signed by new key aren't commonly needed anymore
- make Nix not need signatures for fixed-output derivations
(this step could be completed anytime earlier, too)
FIXME: maybe this holds already:
https://nixos.org/manual/nix/unstable/command-ref/conf-file.html#conf-trusted-public-keys
- stop trusting the old key (nix+nixpkgs)
- - -
# Examples and Interactions
[examples-and-interactions]: #examples-and-interactions
This section illustrates the detailed design. This section should clarify all
confusion the reader has from the previous sections. It is especially important
to counterbalance the desired terseness of the detailed design; if you feel
your detailed design is rudely short, consider making this section longer
instead.
# Drawbacks
[drawbacks]: #drawbacks
Why should we *not* do this?
# Alternatives
[alternatives]: #alternatives
What other designs have been considered? What is the impact of not doing this?
# Unresolved questions
[unresolved]: #unresolved-questions
- confirm Nix's (non-)acceptance of FODs without signature
- determine timing (e.g. the *X* above)
# Future work
[future]: #future-work
What future work, if any, would be implied or impacted by this feature
without being directly part of the work?