Collaborative Working Sessions - Distributed verification II

Distributed verification II

Goal Go through notes of yesterday and last year, and distill actionable ideas

Recap of notes from yesterday

Problem You have dozens of rebuilders, with different trust levels, they sometimes fail, sometimes behave maliciously, how can you trust them?

Is this an open consensus problem?

Yes,some specific questions are:

What you use, what you are, what you produce? This problem is saved with slsa/in-toto attestations. Caveat: if someone wants to lie, they can lie

How can you replicate, what’s guaranteed in an attestation? Is the attestation self-descriptive enough to reproduce it? No, the attestation isn’t, who need something else.

How can you use it then to build consensus? You need to establish some scheme.

Tools to index and search attestations:

in-toto attestation not concerned with rebuilding, but with attesting.

Ecosystems have different tools to allow rebuilds

How do we establish trust in rebuilders?

Agree to ignore notes from last year. It is hard to recap them now. Will prepare them in a future session.

Looking at notes from yesterday

Trust

“there’s a global set of builders a subset of which can be trusted by a verifier” The statement misses delegation. Delegation: establish trust in curators, to curate list of rebuilders to trust?

There should not be a restriction in how many levels deep you can delegate.

Resilience

Secure resilience against

Diversity is a means to achieve resilience How many must agree? Depends on ecosystem. Threshold must be configurable

How to move forward? Capture more properties of the desired verification system and structure them.