diff --git a/rfcs/0149-cache-key-rotation.md b/rfcs/0149-cache-key-rotation.md new file mode 100644 index 0000000..a38f2a4 --- /dev/null +++ b/rfcs/0149-cache-key-rotation.md @@ -0,0 +1,73 @@ +--- +feature: (fill me in with a unique ident, my_awesome_feature) +start-date: (fill me in with today's date, YYYY-MM-DD) +author: (name of the main author) +co-authors: (find a buddy later to help out with the RFC) +shepherd-team: (names, to be nominated and accepted by RFC steering committee) +shepherd-leader: (name to be appointed by RFC steering committee) +related-issues: (will contain links to implementation PRs) +--- + +# Summary +[summary]: #summary + +Rotate cache.nixos.org signing key. + +If we tolerate that people using stuff older than *X* could get a validation failure by default, fully rotating the key in 2*X* time seems relatively straightforward. + +# Motivation +[motivation]: #motivation + +Never rotating a key is bad security practice. +The current one has been in use at least since 2015. + +# Detailed design +[design]: #detailed-design + +Preliminary action plan: +- generate a new key +- make it trusted by default (nix+nixpkgs, perhaps with backports to some branches) +- wait until enough people trust the new key (at least one year, probably) +- switch to signing with the new key +- wait - until paths not signed by new key aren't commonly needed anymore +- make Nix not need signatures for fixed-output derivations + (this step could be completed anytime earlier, too) + FIXME: maybe this holds already: + https://nixos.org/manual/nix/unstable/command-ref/conf-file.html#conf-trusted-public-keys +- stop trusting the old key (nix+nixpkgs) + + + +- - - + + +# Examples and Interactions +[examples-and-interactions]: #examples-and-interactions + +This section illustrates the detailed design. This section should clarify all +confusion the reader has from the previous sections. It is especially important +to counterbalance the desired terseness of the detailed design; if you feel +your detailed design is rudely short, consider making this section longer +instead. + +# Drawbacks +[drawbacks]: #drawbacks + +Why should we *not* do this? + +# Alternatives +[alternatives]: #alternatives + +What other designs have been considered? What is the impact of not doing this? + +# Unresolved questions +[unresolved]: #unresolved-questions + +- confirm Nix's (non-)acceptance of FODs without signature +- determine timing (e.g. the *X* above) + +# Future work +[future]: #future-work + +What future work, if any, would be implied or impacted by this feature +without being directly part of the work?